Overview
- Colt said attackers accessed files that may include customer-related information and is offering customers a way to request the list of filenames posted on the dark web.
- Key support portals including Colt Online and the Voice API remain offline with restoration work ongoing and no timeline provided.
- Warlock claims to be auctioning roughly one million Colt documents for $200,000 on the RAMP forum, has not released samples, and set an August 27 auction end date.
- Microsoft previously reported a threat actor it tracks as Storm-2603 distributing Warlock ransomware via the SharePoint ToolShell exploit, while Trend Micro detailed post-exploitation tactics including GPO abuse, RClone exfiltration, and a LockBit-derived locker that appends .x2anylock.
- Warlock has listed other victims such as Orange Belgium, and UK FOIA data shows the ICO was aware of ToolShell-related personal data breaches by late July.