A recent ransomware attack on Colt Technology Services, a global telecommunications provider operating in over 30 countries, was claimed by the Warlock ransomware group. The breach began on August 12, 2025, and was publicly announced on August 14, with Warlock adding Colt to its leak site and offering the stolen data for sale on August 15-16.

File Analysis: A Broad Range of Sensitive Corporate Data

KELA examined the list of allegedly stolen files published by Warlock on the RAMP cybercrime forum under the alias “cnkjasdfgd.” The document contains 400,977 filenames, while Warlock claimed to steal 1 million documents. It is possible, therefore, that it’s not the entire list of data stolen.

While this appears to be a partial leak, the sample alone paints a troubling picture:

File Types:

The filenames indicate that the majority of documents are Microsoft Office files, pointing to extensive data from across Colt’s internal operations:

• Excel spreadsheets (.xls, .xlsx) – Financial data, customer info, project planning, and infrastructure documentation.

• Word documents (.doc, .docx) – Legal contracts, HR documents, internal reports, and meeting minutes.

• PowerPoint presentations (.pptx) – Presentations related to sales, financial performance, and internal planning.

Topics Covered:

A range of topics across core operational areas appear in the list:

• Network Infrastructure and Operations – Files reference IP addresses, site diagrams, hardware, and network security architecture.

• Finance and Accounting – Budgets, reconciliations, payroll details, and employee compensation documents.

• Human Resources – Contracts, performance reviews, and possibly personally identifiable information (PII).

• Legal and Compliance – Contracts, non-disclosure agreements, and potential litigation-related documents.

• Project Management and Security – Status reports, task tracking, and internal security documentation.

Potentially Exposed Data Includes:

• PII of employees and possibly customers

• Internal network architecture and configurations

• Financial reporting and payroll records

• Legal agreements and NDAs

• Customer-related documentation and contracts

This collection suggests a high-impact breach that could expose Colt to financial losses, legal consequences, reputational damage, and downstream security risks for partners and clients.

Warlock’s Ransom Strategy 

Warlock is a relatively recent but active ransomware group, using clear web and dark web platforms to advertise breaches, and maintaining a public presence on forums like RAMP.

Their operations indicate a shift toward ransomware groups behaving more like commercial threat actors—curating leaks and marketing breaches.

KELA data shows that the United States has been the number one targeted geography among 32 victims, while Technology leads as the number one sector, followed by Manufacturing & Industrial Products, Telecommunications, and Professional Services. KELA cannot disclose the entire list of victims claimed, but some recent examples beyond Colt include Orange, Infonica, webcids, and Advion. 

Warlock is offering the Colt dataset for sale at USD 200,000 and has hinted that they may leak more data if a buyer doesn’t emerge. The group’s strategy follows a common ransomware pattern: leak a portion of stolen data to validate the breach, attract buyers, and pressure the victim. However, selective leaks and data sales also put third parties at risk, especially those named in the stolen files.

Implications Beyond the File List

While the published list may provide insights into the type of data compromised, it is likely incomplete. Organizations not named in the list could still be impacted. There’s also the possibility that Warlock is holding back further disclosures to incentivize a purchase—or may eventually leak the full trove if no buyer emerges.

This method of “proof-of-theft” combined with aggressive public sales tactics is not new, but it highlights a dangerous trend: cybercriminal groups are becoming increasingly transparent about their monetization strategies, raising the stakes for victims and third parties alike.

Stay Ahead of the Fallout: What Should Organizations Do?

Given the scale of this attack and Warlock’s willingness to publicize and monetize stolen data, it’s critical for organizations, especially those operating in telecom, infrastructure, or technology, to:

• Closely monitor the dark web for signs that their data has been exposed, even if not directly mentioned in initial leaks.

• Use tools like KELA’s Monitor and Investigate to identify relevant threats, leaked file names, and associated actor activity.

• Stay informed on threat actors’ communication platforms, behavior changes, and monetization tactics.

KELA customers have access to the Platform for more information on this leak and can monitor for brand names, executive names, vendor relationships, or technical assets. 

Want help identifying whether your organization is exposed in this or other leaks? Contact KELA or use your Investigate access to run queries immediately.