TP-2026-0048 high AI Draft C

Patriot Regional ECC Cyberattack Disrupts Massachusetts Towns

Date April 1, 2026
Attack Type ransomware Sector Government / Emergency Services
Geography United States (Massachusetts)
Threat Actor Unknown
Attribution A4
Confidence C

Summary

On April 1, 2026, a cyberattack on the Patriot Regional Emergency Communications Center in Pepperell, Massachusetts, disrupted telephone and administrative communications for police, fire, and EMS departments serving four regional towns: Pepperell, Dunstable, Townsend, and Ashby. Non-emergency phone lines were disabled; 911 emergency dispatch systems remained operational on separate, protected infrastructure. Agencies reverted to radio-based manual dispatch procedures during the outage.

The attack vector has not been publicly disclosed. Public reporting notes that the affected center used the CodeRED emergency notification platform, whose parent company Crisis24 suffered a ransomware attack in November 2025. Available reporting has not established a confirmed causal link between the prior Crisis24 breach and the April 2026 disruption; the contextual overlap does not constitute a confirmed attack chain in available public reporting.

The incident affected regional emergency communications infrastructure. The continued operation of 911 systems indicates effective network segmentation between emergency dispatch and administrative telephone infrastructure, but non-emergency systems lacked equivalent protection.

Technical Analysis

The Patriot Regional Emergency Communications Center operates as the central dispatch hub for Pepperell, Dunstable, Townsend, and Ashby. The center uses the CodeRED platform (Crisis24) for emergency notifications and operates telephone and administrative communications systems alongside the 911 emergency dispatch infrastructure.

The attack took the telephone exchange and business communications systems offline. The 911 dispatch infrastructure, operating on a separate network segment, remained functional. This separation allowed emergency dispatch to continue using radio backup procedures while administrative and non-emergency telephone communications were unavailable.

The specific attack mechanism has not been publicly disclosed. The disruption pattern is consistent with ransomware deployment against communications systems, though direct intrusion without encryption or a fault triggered during remediation of connected systems cannot be ruled out. No actor has claimed responsibility and no attribution has been established.

CodeRED connection: Crisis24 (parent company of CodeRED) suffered a ransomware attack in November 2025. Public reporting on the Patriot Regional incident notes a CodeRED-connected system among those affected. Whether the April 2026 disruption resulted from credential reuse from the November 2025 breach, a separate direct intrusion, or a fault unrelated to that prior incident has not been confirmed by available sources.

Attack Chain

Stage 1: Initial Access (Mechanism Undisclosed)

The attacker gained access to Patriot Regional ECC systems through an undisclosed vector. Possible paths include credential compromise, exploitation of an exposed service, or lateral movement via a connected platform. The specific initial access method has not been confirmed in public reporting.

Stage 2: Communications Systems Disrupted

Telephone exchange and business communications systems were rendered unavailable. 911 systems, operating on isolated infrastructure, were unaffected. Emergency services detected the outage and activated manual radio dispatch procedures.

Stage 3: Response and Containment

Incident response was initiated. Affected systems were isolated. Law enforcement, fire, and EMS agencies operated under degraded conditions using radio and manual call-logging procedures while restoration and investigation proceeded.

Impact Assessment

Emergency services operations: Non-emergency dispatch and administrative communications were unavailable. Police, fire, and EMS agencies serving four municipalities could not receive non-emergency calls through normal telephone channels. Internal coordination shifted to radio and manual procedures, increasing operational load for all affected agencies.

Public access: Members of the public could not contact regional agencies for non-emergency needs (welfare checks, traffic incidents, civil standbys) through the main phone lines. 911 emergency calls remained unaffected.

Scope: Four towns — Pepperell, Dunstable, Townsend, and Ashby — lost normal non-emergency telephone access to police, fire, and EMS dispatch. The duration of the outage was not specified in available public reporting.

Network segmentation: The continued operation of 911 infrastructure confirms that emergency dispatch was isolated from the affected administrative and telephone systems. This segmentation limited the impact of the attack to non-emergency functions.

Attribution

No actor has claimed responsibility for the Patriot Regional ECC attack. No government agency has publicly attributed the incident. The attack vector remains undisclosed in available public reporting.

The contextual proximity to the November 2025 Crisis24 ransomware breach is noted in reporting, but available sources have not confirmed whether the two incidents share a common actor, whether credentials exposed in the November breach were used in the April attack, or whether the incidents are unrelated. No actor or mechanism has been publicly identified.

Timeline

2025-11-XX — Crisis24 Breach

Crisis24, parent company of CodeRED emergency notification platform, suffered a ransomware attack. The incident affected the platform and connected municipalities. This is noted as sector context; a causal link to the April 2026 Patriot Regional disruption has not been confirmed.

2026-04-01 — Cyberattack Disrupts Patriot Regional ECC

Attacker compromised Patriot Regional Emergency Communications Center systems in Pepperell, Massachusetts. Telephone exchange and business communications systems were rendered unavailable. 911 systems continued operating on separate infrastructure. Police, fire, and EMS agencies for Pepperell, Dunstable, Townsend, and Ashby activated manual radio dispatch procedures.

2026-04-01 — Response Initiated

Incident response teams mobilized. Affected systems isolated. Investigation into the attack vector, scope, and restoration timeline was underway. Regional emergency services coordination continued at reduced capacity through radio backup systems.

Remediation & Mitigation

Immediate response: Isolate affected systems from the network. Activate backup radio dispatch and manual call-logging procedures. Engage state emergency management and CISA for technical assistance. Preserve forensic artifacts for investigation and attribution.

Network architecture: Emergency services networks should maintain strict segmentation between 911 dispatch infrastructure and administrative or third-party-connected systems. Segmentation should be validated through periodic testing and documented verification procedures.

Third-party platform risk: Audit integrations with vendors such as CodeRED, CAD systems, and dispatch platform providers. Review and restrict API permissions to minimum necessary access. Establish incident response procedures specific to supply chain or platform compromise events.

Credential and access controls: Enforce multi-factor authentication on all administrative access to communications systems. Rotate credentials and review access logs following any third-party platform breach that touches connected infrastructure.

Resilience and redundancy: Maintain documented and tested backup procedures for radio dispatch and manual call-taking. Establish mutual aid agreements with neighboring emergency communications centers. Test failover procedures under realistic conditions at regular intervals.

Federal resources: CISA’s Emergency Services Sector provides guidance and technical assistance for emergency communications infrastructure security. Eligible organizations may access CISA assessments and funding through DHS and FEMA grant channels.

Sources & References

ransomwareemergency-servicesgovernmentmunicipalmassachusetts911coderedcrisis24