weerapat1003 - stock.adobe.com
Warlock claims ransomware attack on network services firm Colt
UK network services firm Colt is attempting to recover various customer-facing systems following a cyber attack that has been claimed by the Warlock ransomware gang and may have arisen via a SharePoint flaw.
London-headquartered telecoms and network services company Colt is attempting to bring various customer-facing services back online after being hit by a cyber attack claimed by the Warlock ransomware gang.
The incident, which the firm at first chalked up to a technical issue, appears to have started on Tuesday 12 August at around 11am BST, when customers began reporting interruptions to their service.
On the afternoon of Thursday 14 August Colt reported that it was in fact responding to a cyber incident at Colt Technology Services, that has primarily affected the Colt Online support services and Voice API platforms.
“We recently detected a cyber incident on an internal system. This system is separate from our customers’ infrastructure. We took immediate protective measures to ensure the security of our customers, colleagues, and business, and we proactively notified the relevant authorities. One of our protective measures involved us intentionally taking some systems offline, which has led to the disruption of some of the support services we provide to our customers,” a Colt spokesperson said.
In an update posted on Friday 15 August, Colt said that its teams were continuing to work around the clock to restore access to the impacted systems.
“We appreciate it’s frustrating not being able to use some systems currently, including Colt Online and our Voice API platform, and we’re grateful for your understanding,” said the company.
Colt is advising customers to get in touch via email or phone should they need to, but users should be aware that there may be some delay in responding.
Ransomware gang claims hit
Per cyber news website Bleeping Computer, the cyber attack on Colt was swiftly claimed by the Warlock ransomware group, which has posted details of its intrusion to its dark web leak site.
A hacker who identified themselves with the handle ‘cnkjasdfgd’, claimed to have stolen over a million individual documents which hold data including customer, employee and financial data, and information on Colt’s network architecture and software development.
The gang is supposedly selling off this information for $200,000 (approximately £147,500), which may be an indication that its attempt to extort Colt has been rebuffed. This is unconfirmed.
Writing on social media platform Mastodon, cyber threat researcher Kevin Beaumont suggested that Colt was likely breached via a security feature bypass flaw in Microsoft SharePoint Server. The vulnerability in question – CVE-2025-53770 – bypasses a fix for a previously-patched remote code execution (RCE) bug, and was itself the subject of an emergency fix in July.
CVE-2025-53770 works by enabling an attacker to steal cryptographic keys from unpatched SharePoint servers that are then used to create malicious requests to achieve RCE.
Together with a second vulnerability, CVE-2025-53771, it forms the basis of an exploit chain referred to as ToolShell
Microsoft and others swiftly identified exploitation of ToolShell by Chinese state-backed threat actors, but also warned that the Warlock crew was also sniffing around.
Colt's spokesperson told Computer Weekly: “We’re aware of claims regarding the cyber incident. We are currently investigating these claims. Our technical team is focused on restoring the internal systems impacted by the cyber incident and is working closely with third-party cyber experts. We are grateful for our customers’ understanding as we work towards a resolution to fix the impacted internal systems.”
You want a Lamborghini?
A newly-emergent ransomware actor, Warlock announced itself to the world in June with an advertisement on a Russian cyber crime forum titled ‘If you want a Lamborghini, please call me’, according to researchers at Halcyon.
The gang runs a closed, affiliate-style business model and appears to have little known connection to any earlier brands, said Halcyon, reversing an earlier suggestion of a link to LockBit.
Through its exploitation of the SharePoint It may, however, have a link to a China-based threat actor known as Storm-2603 as evidenced through its use of the ToolShell chain.
To date it has been linked to about 11 cyber attacks, and has claimed 19 more in sectors including government, finance, manufacturing and tech.
This article was updated at 19:10 BST on Friday 15 August 2025 to include a response from Colt.
Read more about ransomware attacks
- The UK government is forging a bold path as it aims to ban ransomware payments from certain organisations. Its actions could herald an inflexion point in Europe's broader response to ransomware.
- US authorities reveal how over a million dollars’ worth of cryptocurrency assets laundered by the BlackSuit ransomware gang were seized ahead of a July takedown operation.
- Microsoft’s security analysts confirm a number of cyber attacks on on-premise SharePoint Server users involve ransomware.
