UK-based telecommunications provider Colt Technology Services has confirmed that sensitive customer-related documentation was stolen in a recent ransomware incident. The company initially disclosed on August 12 that it had suffered a cyberattack, but this marks the first confirmation that data exfiltration took place.
In its updated advisory, Colt revealed that a criminal group accessed specific files from its systems that may contain customer information and subsequently posted the filenames on dark web forums.
To assist affected clients, Colt has set up a dedicated call center where customers can request the list of exposed filenames. “We understand that this is concerning for you,” the company stated in its advisory. Notably, Colt also implemented a no-index HTML meta tag on the advisory webpage, ensuring the content would not appear in search engine results.
The development follows claims from the Warlock ransomware gang, also known as Storm-2603, that they are auctioning one million stolen Colt documents for $200,000 on the Ramp cybercrime marketplace. The group alleges the files contain financial data, customer records, and details of network architecture.
Cybersecurity experts verified that the Tox ID used in the forum listing matches identifiers seen in the gang’s earlier ransom notes, strengthening the link to Colt’s breach.
The Warlock Group, attributed to Chinese threat actors, emerged in March 2025 and initially leveraged leaked LockBit Windows and Babuk VMware ESXi encryptors to launch attacks. Early operations used LockBit-style ransom notes modified with unique Tox IDs to manage negotiations.
By June, the group rebranded under the name “Warlock Group,” establishing its own negotiation platforms and leak sites to facilitate extortion.
Recent intelligence reports, including one from Microsoft, have indicated that the group has been exploiting vulnerabilities in Microsoft SharePoint to gain unauthorized access to corporate networks. Once inside, they deploy ransomware to encrypt data and steal sensitive files for leverage.
The group’s ransom demands vary significantly, ranging from $450,000 to several million dollars, depending on the target organization and data involved.
Colt’s disclosure highlights ongoing challenges faced by enterprises in safeguarding critical infrastructure against sophisticated ransomware actors. Telecommunications companies, which manage vast volumes of sensitive customer and network data, remain particularly attractive targets.
As threat actors refine their tactics and increasingly combine encryption with data theft, the risks to both organizations and their clients continue to escalate.
While Colt has not confirmed whether it plans to engage with the ransomware operators, the company emphasized its focus on mitigating the impact for customers.
For now, the stolen documents remain for sale on the dark web, and the situation underscores the broader need for enterprises to strengthen resilience against the evolving ransomware landscape.
