Full Report
Back on August 12th 2025, I’d suspected Colt Technology Services had a ransomware incident running. For those who haven’t heard, Colt are quite important in the UK and Europe:At the time they were referring it to as a “technical issue” on their status page. This continued for just over two days.Here’s an archive of their status page — they text about technical issue has since disappeared:They were trying to respond to an unfolding ransomware/extortion incident without telling customers what was happening.As always with these cyber incidents involving unpredictable external parties (i.e. e-crime groups), transparency is the best option as everything begins to unfold quickly otherwise — I’ve seen this time and time again at organisations. Quite often internal forces — e.g. legal departments — will push incidents in the wrong direction from actually protecting the overall business, as they’re operating in isolated thought around their own department responsibilities.You have to place protecting customers first in every situation, as the business is essentially experiencing both a technical heart attack and an attack on trust by the threat actor. Perception is reality. It’s best to control the narrative as much as possible, and the best way to do that is to do generally the opposite of everything people who’ve never dealt with a ransomware incident will tell you to do.After a few days, they still weren’t letting customers know it was a cyber incident — so I started a thread online to try to coax Colt out of the dark:https://cyberplace.social/@GossiTheDog/115026580893996072From telemetry, I could see an operator from Warlock ransomware group hitting sharehelp.colt.net, a SharePoint server that was now offline. It was also clear they’d done data exfiltration.After tweeting this, LeakIX — an internet scanning service — contacted me to let know Colt had a popped SharePoint box — also the same IP as sharehelp.colt.net — which had a webshell on it. They’d let Colt know on July 22nd:Email thread from LeakIXIt looks like this was the entry point. The box was initially vulnerable to CVE-2025–53770, however it’d been patched fairly quickly from version fingerprint scan data — but it already had a webshell on it by that point, i.e. the backdoor was placed for later.You may recognise these TTPs if you pay attention to Warlock — aka STORM-2603 — as Microsoft had reported this vuln being used for ransomware deployment by the group, with the same webshell filename (spinstall0.aspx):After these delightful toots, Colt pivoted to the cyber incident messaging later that day:From this point, their comms improved considerably.Although the comms refer to “an internal system”, it’s pretty clear given the scale out of the systems still offline that it’s a big one not confined to a system.By August 15th I’d noticed there was a forum post on RAMP, a Russian Tor site, from Warlock advertising data for sale:In this, it included a file listing of approximate 400k documents, including Colt customer documentation and performance reviews of staff and such.That list is available here, is orgs want to understand their level of risk:https://www.klos.com/~john/colt_filename_tree.txtColt have now setup a dedicate breach website — it’s not linked on their website for some reason and the HTML code includes noindex, which stops search engines listing it:Cyber Incident | Colt Technology ServicesThey’ve also admitted the theft of customer data on said site.Some learningsThese incidents are always a bit of a car crash — I’ve been there several times — and as Mike Tyson once said, “Everybody has a plan until they get punched in the face”.Ransomware and extortion incidents are those situations as the incident environment becomes fluid, due to the usual pillars of business becoming unstable — for example, IT systems and access to documents. Staff also enter an extreme amount of stress. Watch for that, rotate people on shifts, you’re going to be recovering the company for a while, it’s not a sprint.You have to be agile and you have to be fast, and think outside the box.For me, I think transparency is the centre point to aim people at. For example, people should be asking ‘if I’m a customer, would I want to know? Should my colleagues know what is happening?’You can, and should, aim to suck the life out of the threat actors extortion by pre-empting them. Yes, they’re going to go public to try to get customers to complain. So tell the customers first. This one was pretty slow in terms of external response — I’m sure lots was happening internally — which allowed the threat actor to go a bit nuts.Don’t pay the threat actor. These guys are running around with millions of dollar attack budgets — far more than your cyber defence budget — because orgs keep paying.I think running SharePoint on prem in 2025 is hugely risky. There’s not that many on prem boxes left online — for example, they’re dwarfed by on prem Citrix Netscalers nowadays by a factor of several times (not that it’s a good idea to run Citrix Netscaler on prem in 2025, either) if you look on Shodan.Threat actors will find vulnerabilities in that product, as it’s a dwindling number of high value orgs running it. It’s time to say goodbye to SharePoint.Orgs probably want to look at attack surface management as clearly when those SharePoint vulns hit as a zero day in July, things were going to go wrong for some orgs. We all need to know where our web facing systems are, know a way to look for known webshells (the filename in this one was a known one, hence LeakIX being able to scan for it) and respond accordingly.But, you know, hindsight is a wonderful thing, cyber incidents like this are truly terrible, and there’s no perfect way to respond. I think Colt get serious credit for — per their cyber incident website — having a properly segmented network for customer systems, which has limited the impact considerably.I definitely think everybody should try to learn from incidents like this, though, and really think about: do we know what to do really? Ransomware and extortion incidents aren’t a IT disaster recovery scenario. It’s somebody deliberately starting a fire. Every org I’ve come across has an IT disaster recovery plan, but it never survives somebody burning down the building on purpose.One final thing. The UK government needs to continue to treat ransomware seriously. There are plans afoot to stop critical infrastructure paying ransomware, and all incidents to be notified centrally, here in the UK. These plans need to continue at pace, and get implemented. We’ve got to break this economic cycle.The longer these ransomware groups keep getting funded, the more incidents there will be, the more vulnerabilities purchased etc — sooner or later you’re going to get a Colt style incident at another provider who hasn’t segmented their network properly. And that’s going to be a highly significant incident. This wasn’t.The UK government should get out in front of that situation and really be a world leader by quite literally leading the world on how to defuse these ransomware groups through thoughtful legislation and central governance.UpdatesYou can follow me for updates on Mastodon if you’re really bored.https://cyberplace.social/invite/BeKU6RCGColt Technology Services gets ransomware’d via SharePoint initial access— some learning points was originally published in DoublePulsar on Medium, where people are continuing the conversation by highlighting and responding to this story.
Analysis Summary
# Incident Report: Colt Technology Services Ransomware Extortion Incident
## Executive Summary
Colt Technology Services experienced a ransomware and extortion incident beginning around August 12th, 2025, initially masked as a "technical issue." The compromise originated from a vulnerable, internet-facing SharePoint server exploited by the Warlock ransomware group, leading to data exfiltration. The initial response was noted for a lack of transparency, only pivoting to official cybersecurity messaging after external pressure mounted.
## Incident Details
- **Discovery Date:** Investigator suspected incident on August 12th, 2025. External scanner LeakIX reported a webshell to Colt on July 22nd, 2025 (potentially the initial compromise date).
- **Incident Date:** Investigation began around August 12th, 2025. Initial compromise likely occurred on or before July 22nd, 2025.
- **Affected Organization:** Colt Technology Services
- **Sector:** Telecommunications/Technology Services
- **Geography:** UK and Europe focused.
## Timeline of Events
### Initial Access
- **Date/Time:** On or before July 22nd, 2025.
- **Vector:** Exploitation of an on-premises SharePoint server.
- **Details:** The server was initially vulnerable to an unstated vulnerability, patched to version lacking the entry vulnerability fingerprint, but a webshell named `spinstall0.aspx` was already present (indicating a "backdoor was placed for later"). The vulnerability exploited appears related to CVE-2025–53770, which Warlock ransomware group was reportedly using for initial access.
### Lateral Movement
- **Date/Time:** Unspecified, but prior to August 12th.
- **Details:** The attacker subsequently targeted and took offline `sharehelp.colt.net`, a SharePoint server, indicating control over at least this segment of the internal systems.
### Data Exfiltration/Impact
- **Date/Time:** Prior to August 12th, 2025.
- **Details:** Evidence from telemetry confirmed data exfiltration by the Warlock ransomware operator. By August 15th, Warlock advertised data for sale on RAMP, including approximately 400k documents, comprising customer documentation and internal staff performance reviews.
### Detection & Response
- **Date/Time:** August 12th, 2025 (Public Detection/Suspicion).
- **Details:** Colt initially communicated a generic "technical issue" for over two days. The investigator began public outreach on social media to prompt disclosure. Colt pivoted to explicit cyber incident messaging later the same day the investigator posted publicly. Colt later established a dedicated breach website confirming customer data theft (though the site was initially cloaked from search engines via HTML `noindex` tags). The analyst noted that network segmentation likely limited the overall impact.
## Attack Methodology
- **Initial Access:** Exploitation of on-premises SharePoint vulnerability (potentially CVE-2025–53770) leading to the deployment of a webshell (`spinstall.aspx`).
- **Persistence:** Webshell deployment allowed future access even after a patch was applied to the exploited vulnerability check.
- **Privilege Escalation:** Not explicitly detailed, but required for data exfiltration.
- **Defense Evasion:** Not detailed, but the initial successful compromise suggests evasion of endpoint detection mechanisms after initial compromise.
- **Credential Access:** Not detailed.
- **Discovery:** Operator seen hitting `sharehelp.colt.net`.
- **Lateral Movement:** Unspecified, but necessary to access sensitive files.
- **Collection:** Gathering customer documentation and internal HR data.
- **Exfiltration:** Data uploaded for sale on the RAMP leak site.
- **Impact:** Data extortion and operational disruption (indicated by offline systems).
## Impact Assessment
- **Financial:** Not quantified, but implied significant costs associated with remediation and potential regulatory fines.
- **Data Breach:** Theft of approximately 400,000 documents, including sensitive customer data and internal staff performance reviews.
- **Operational:** Significant disruption, evidenced by systems being offline for over two days initially and the need for a dedicated incident response team.
- **Reputational:** Initial response criticized for lack of transparency, eroding customer trust until official messaging improved.
## Indicators of Compromise
- **Network Indicators (Defanged):**
- Target domain: `sharehelp.colt.net`
- Threat Actor: Warlock ransomware group (STORM-2603)
- **File Indicators:**
- Webshell Filename: `spinstall0.aspx`
- **Behavioral Indicators:**
- Warlock TTPs consistent with prior ransomware deployments using CVE-2025–53770.
- Posting of stolen data on RAMP leak site.
## Response Actions
- **Containment:** Operator was seen hitting systems that subsequently went offline (suggesting internal action to isolate affected segments).
- **Eradication:** Not detailed, but required significant effort given the sustained threat actor activity and ongoing operational impact.
- **Recovery:** Colt established a dedicated breach website and appears to have utilized internal network segmentation to limit the scope of the incident.
## Lessons Learned
1. **Transparency is Critical:** Delaying disclosure of a cyber incident ("technical issue") allows the threat actor to control the narrative. Proactive, transparent communication is vital for protecting customer trust.
2. **On-Premises Risk:** Running legacy software like on-premises SharePoint in 2025 is highly risky, as these become high-value targets for threat actors targeting dwindling numbers of hosts.
3. **Incident Recovery is a Marathon:** Ransomware incidents stress business pillars; recovery is not a sprint and requires managing significant staff stress.
4. **Preparation Must Exceed DR:** Standard IT Disaster Recovery plans are insufficient; response must account for deliberate malicious actions (like arson).
5. **Pre-empt Extortion:** Organizations should aim to disclose data exfiltration before the threat actor does.
## Recommendations
1. **Decommission Legacy Systems:** Migrate away from high-risk, on-premises deployments like SharePoint in favor of modern, managed services.
2. **Strengthen Attack Surface Management (ASM):** Proactively identify and monitor all internet-facing assets, including searching for known webshell signatures.
3. **Practice Ransomware Playbooks:** Develop and practice IR plans specifically tailored for intentional malicious disruption, not just technical failures.
4. **Government Action:** Support government initiatives to mandate centralized reporting and discourage ransom payments to break the economic cycle funding these groups.