Colt Technology Services is still trying to restore its internal systems this morning, a week after a cyber attack claimed by the WarLock ransomware operation.
Meanwhile, over the weekend, it emerged that the WarLock group was offering data stolen in the attack for sale. The ransomware group is believed to have been exploiting vulnerabilities in Sharepoint to stage its attacks.
In an update this morning, UK-based telco firm Colt said it was “continuing to work tirelessly to restore the internal systems affected by the recent cyber incident”.
While it has said there was no evidence the group had accessed employee or customer data, it today told The Stack: "We continue to work closely with law enforcement agencies as part of our investigation.”
Support services still offline
Colt's work to restore systems refers to "some” of its support services, including its Colt Online and Voice API platform. It said yesterday, that following the attack last week, it had taken them offline.
On August 14,the day of the attack, it said “We detected the cyber incident on an internal system. This system is separate from our customers’ infrastructure. We took immediate protective measures to ensure the security of our customers, colleagues, and business, and we proactively notified the relevant authorities.”
On Friday, it added, “We have the capability of monitoring our customers’ networks and we continue to manage network incidents efficiently but we’re working in a more manual way than normal.
"We’re working hard to get our automated monitoring capability fully restored.”
What is WarLock?
There’s some debate as to whether WarLock is strictly speaking a malware strain, or an organized group. Halcyon last month described it as a RaaS operation “tied to the China-based actor tracked as Storm-2603”. It said that as of late July, it had claimed at least 19 victims.
Other observers have described it as a ransomware variant.
Either way, it appears to have cut a swathe through victims since Microsoft flagged up WarLock in late July, hard on the heels of a warning of active attacks on SharePoint servers thanks to a brace of vulnerabilities. CISA subsequently issued an alert over the attacks.
The link has been copied!
