Security Intelligence
Loading table of contents...
On August 21, 2025, Colt Technology Services, a UK-based telecommunications and network services provider, disclosed that they had experienced a cyber incident involving unauthorized access to internal systems. The company confirmed that “some data has been taken,” following an earlier report of operational disruptions on August 12.
Subsequent analysis by security researchers attributed the incident to the Warlock ransomware group.
This attribution places Warlock at the center of a high-impact campaign affecting Colt’s operations across 40 countries. The attack reportedly disrupted customer-facing services, including portals, voice APIs, and monitoring systems.
According to BleepingComputer, Warlock claimed to have exfiltrated over one million documents containing financial records, network architecture details, and Colt’s customer data. The group advertised the stolen data on the RAMP cybercrime forum, offering it for $200,000 USD.
Warlock is a newly emerged ransomware family. First observed in June 2025, the group was introduced via a recruitment post on the RAMP cybercriminal forum. Warlock quickly adopted a ransomware-as-a-service (RaaS) model, distributing its payload through a closed affiliate network.
Within weeks, Warlock claimed responsibility for attacks across multiple continents, targeting sectors including government, finance, manufacturing, telecommunications, and technology. These incidents were corroborated by victim disclosures and matched with data posted to Warlock’s leak site.
In mid-July, Microsoft linked Warlock to Storm-2603, a China-based advanced persistent threat (APT) group observed exploiting a set of zero-day vulnerabilities in Microsoft SharePoint, collectively referred to as ToolShell, to deploy ransomware, including Warlock and LockBit Black. The campaign compromised over 400 SharePoint servers across 148 organizations in 21 countries.
By late July, Warlock expanded its victim set to include consumer goods and professional services. It also claimed responsibility for incidents previously attributed to Black Basta, suggesting either a rebrand or shared affiliate infrastructure.
As of late August, Warlock has claimed at least 19 confirmed attacks. Its targeting is opportunistic, focusing on organizations with exposed infrastructure and unpatched systems.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
Analyst insight
While Warlock activity has been linked to Storm-2603, attribution remains inconclusive. It is plausible that Storm-2603 is not the sole operator of Warlock, but rather one of the clients within the broader RaaS ecosystem. This interpretation is supported by observed deployment of both Warlock and LockBit Black by Storm-2603, suggesting access to multiple ransomware kits rather than exclusive development.
Warlock’s targeting spanning multiple countries and multiple sectors does not align with the strategic victim selection typical of nation-state operations. Instead, the campaign appears driven by technical opportunity and financial gain, consistent with the behavior of freelance operators or affiliates acting independently of state directives.
This raises the possibility that Chinese nation-state actors may be purchasing access to ransomware tools or services from cybercriminal marketplaces, using them for both sanctioned operations and unsanctioned personal profit. The dual-use nature of these tools complicates attribution and response, as the same ransomware strain may be used in both espionage and extortion contexts.
Regardless of attribution, organizations should prioritize defense. The RaaS model has made sophisticated ransomware tools widely accessible, making infrastructure exposure the primary risk factor. Whether deployed by a state-sponsored actor or a criminal affiliate, the operational impact remains the same.
Effective mitigation depends on resilience, detection, and response readiness, grounded in security fundamentals such as vulnerability management, network segmentation, and incident response planning.
