Colt Data Breach: Warlock Ransomware Auctions Stolen Customer Files
▼ Summary
– Colt Technology Services confirmed that customer documentation was stolen in a ransomware attack by the Warlock gang, who are now auctioning the files.
– The company disclosed the attack occurred on August 12 and has offered customers a way to request a list of filenames posted on the dark web.
– The Warlock Group is selling what they claim to be 1 million documents for $200,000, containing financial, network, and customer information.
– Identified as Chinese threat actors, the group uses leaked LockBit and Babuk encryptors and has rebranded from earlier operations using customized ransom notes.
– Microsoft reported the gang exploits a SharePoint vulnerability to breach networks, and they demand ransoms ranging from $450,000 to millions of dollars.
UK telecommunications firm Colt Technology Services has confirmed that a significant data breach resulted in customer documentation being stolen, with the Warlock ransomware gang now auctioning the stolen files online. The company initially disclosed an attack on August 12 but only recently verified that data extraction occurred. An updated advisory on Colt’s website states that a criminal group accessed files potentially containing customer information and published document titles on the dark web.
Colt acknowledged the concern this incident may cause and is offering affected customers the opportunity to request a list of the exposed filenames through a dedicated call center. As noted by cybersecurity specialist Kevin Beaumont, the company also took steps to limit public visibility of the incident page by adding a no-index meta tag, preventing search engines from cataloging the information.
This confirmation follows reports that the Warlock Group began auctioning what they claim are one million documents stolen from Colt on the Ramp cybercrime forum. The asking price for the data is $200,000, and the leaked materials are said to include sensitive financial records, network architecture details, and extensive customer information.
The threat actor’s post on the forum included a Tox ID that matches identifiers used in earlier versions of the group’s ransom notes, lending credibility to their claims. Also tracked as Storm-2603, the Warlock Group is believed to consist of Chinese threat actors who repurpose leaked LockBit and Babuk encryptors in their attacks.
First appearing in March 2025, the group initially used customized LockBit ransom notes before rebranding as the Warlock Group in June. They now operate their own dedicated negotiation and data leak sites on the dark web. Recent intelligence from Microsoft indicates the actors have been exploiting a SharePoint vulnerability to gain initial access to corporate networks before deploying ransomware.
In negotiations observed by security researchers, the gang has demanded ransoms ranging from $450,000 to several million dollars, reflecting the high value they place on compromised corporate data.
(Source: Bleeping Computer)
