WarLock Ransomware group Claims Breach at Colt Telecom and Hitachi

WarLock ransomware claims breach at Colt and Hitachi, with Colt investigating and working to restore systems while experts review the alleged data theft.

When a new ransomware group shows up, many in the industry usually wait to see whether they can actually deliver on their threats. WarLock, which surfaced only two months ago, is trying to prove it can. This week, the group added Colt (colt.net) and Hitachi (hitachi.hta.com) to its victim list, claiming to have stolen sensitive data from both companies.

On its dark web leak site, WarLock claimed it has over one million documents linked to the UK-based telecommunications provider Colt. Instead of making a clear ransom demand, the group is offering the alleged trove for $200,000 through an associate account on a Russian cybercrime forum.

The data up for sale is said to include executive emails, employee salary information, financial records, customer contracts, internal personal details, and even network architecture and software development files.

Hitachi was also named as a victim, though its case remains uncertain. The Japanese conglomerate briefly appeared on WarLock’s leak site before its name was taken down. Whether this means negotiations are ongoing or the data was overstated is still unclear.

WarLock itself is a relatively new player in the ransomware market. The group was first advertised on a Russian forum in June 2025 and operates as a ransomware-as-a-service model, where affiliates carry out attacks under its banner.

Analysts link WarLock to a China-based threat actor known as Storm-2603, active since March this year. Since mid-July, the ransomware has been used in at least 11 confirmed attacks, several targeting government institutions. The same group was also spotted exploiting critical Sharepoint flaws in July.

Colt has since responded, but stopped short of confirming WarLock’s claims. In a statement to BleepingComputer, a company spokesperson said they are aware of the allegations and are investigating. The spokesperson added that technical teams are working to restore impacted internal systems with support from third-party cybersecurity experts, and thanked customers for their understanding while efforts continue to resolve the disruption.

Cybersecurity experts have been quick to weigh in on the Colt incident. Evan Powell, CEO of DeepTempo, shared his thoughts with Hackreadcom, emphasizing how service providers are especially vulnerable.

“Service providers have an immense challenge. They are attractive targets. They can be used for surveillance and to penetrate user environments by attackers, so they themselves are perhaps the most attractive attack vector to attackers. And service providers are responsible for keeping a network safe that has systems on it that they do not control, their own customer’s systems.”

Powell was also critical of Colt’s public response. “The announcements from Colt Telecom that they have taken ‘proactive measures’ to respond to the attackers are a bit cringy. It appears from reports that Colt was unaware of the severity of the attack as it unfolded, and as it continues to unfold. The attackers are moving faster than they are. Being truly proactive would have meant using advanced threat detection for the ever more advanced threats that are disrupting countless organizations around the world.”

He added that this situation is far from unique. “Unfortunately this is a common pattern in high stakes cybersecurity environments. Legacy vendors are extracting ever higher license fees for aging rules and traditional ML based detection systems, even while attackers are increasingly deploying methods that avoid such detections. We can expect to see many more successful attacks on especially service providers until they and their vendors deploy truly ‘proactive’ defenses, based upon the ability to actually see when they are being attacked.”

Hitachi’s situation is less clear, but its brief listing alone shows how aggressive the group wants to appear. Nevertheless, with a new ransomware outfit proving its reach so quickly, companies across the telecom and technology sectors need to remain alert.