Warlock Ransomware has carried out a major attack on Colt Technology Services, one of the UK’s largest telecom providers. The attackers claim to have stolen and auctioned company files, and Colt has now confirmed the breach. Sensitive data linked to customers is among the stolen material, raising concerns about privacy and trust.
This incident is alarming for several reasons:
- Scale of the theft – Nearly one million internal documents were advertised for sale.
- Unusual extortion tactic – Instead of leaking, Warlock Ransomware auctioned the data.
- Potential customer exposure – Some of the stolen files include personal or sensitive information.
The case shows how ransomware groups are changing their methods to maximize pressure and profit.
Colt Confirms the Data Theft
Colt Technology Services disclosed that data had been stolen from its systems after a ransomware incident earlier in August 2025. The company confirmed that certain files may contain customer-related information. Customers can request a full list of stolen filenames through a dedicated call center, allowing them to assess their exposure.
Auction of Stolen Files
Warlock Ransomware moved away from the typical double extortion model. Instead, the group auctioned the stolen data on the Ramp cybercrime forum. Reports show the attackers demanded $200,000 for access to nearly one million documents.
The stolen materials included:
- Payroll and HR data
- Budgets and financial spreadsheets
- Infrastructure documentation
- Legal and compliance files
- Meeting minutes and internal reports
These documents highlight the deep level of compromise within Colt’s internal systems.
Attack Method and Exploited Vulnerability
Researchers believe the attackers used a SharePoint zero-day flaw, CVE-2025-53770, to breach Colt’s systems. This vulnerability allowed remote code execution and facilitated large-scale data theft. Analysts estimate that several hundred gigabytes of files were stolen during the attack, making it one of the most damaging incidents Colt has faced.
Impact on Colt and Its Customers
The company was forced to shut down internal services, including the Colt Online portal and voice API platform. Although Colt’s core telecommunications infrastructure remained intact, the breach revealed critical weaknesses. Customers now face the possibility that sensitive details, such as financial or personal data, may be in the hands of criminals.
Broader Risks of Warlock Ransomware
Warlock Ransomware represents a growing shift in cybercrime tactics. By auctioning stolen data instead of just encrypting it, the group maximizes profit while exposing companies to longer-term reputational harm. For industries like telecommunications, the attack highlights urgent needs:
- Faster patch management to close known vulnerabilities.
- Stronger security monitoring across customer-facing portals.
- Incident response planning to reduce the impact of future attacks.
Final Thoughts
The Warlock Ransomware attack on Colt demonstrates how ransomware tactics continue to evolve. By exploiting a zero-day flaw and auctioning stolen data, the group created widespread risk for both the company and its customers. The case serves as a warning that critical service providers must act faster on vulnerabilities and strengthen defenses against increasingly aggressive ransomware operations.
