Skip to content
Ransomware group

TridentLocker

TridentLocker is a ransomware-as-a-service (RaaS) operation that emerged in late November 2025.

Profile source: Mallory opens in a new tab

TridentLocker

Family profile

TridentLocker is a ransomware-as-a-service (RaaS) operation that emerged in late November 2025. It uses double-extortion tactics, encrypting victim systems and threatening to leak exfiltrated data if ransom demands are not met. The group has been described as a ransomware gang and has also referred to itself as a data broker. Reported behavior includes data exfiltration over web protocols and encryption for impact. Since surfacing, TridentLocker has claimed roughly 12 victims on its Tor-based leak site across manufacturing, government, IT, and professional services, with targeting reported in North America, Europe, China, and the UK.

Victims directly mentioned in the content include Sedgwick Government Solutions and Belgian postal service bpost. In the Sedgwick Government Solutions incident, TridentLocker claimed to have stolen approximately 3.39-3.4 GB of documents from an isolated file transfer system and published samples on its dark web/Tor leak site. Sedgwick stated there was no evidence of access to claims management servers and no broader impact on the parent company’s network. In the bpost incident, TridentLocker claimed responsibility for exfiltrating 5,140 files totaling about 30.46 GB from a third-party exchange platform; the stolen data reportedly included personal and business information of some customers of the affected department.

The content does not provide a detailed technical infection chain, specific malware family internals, or concrete indicators of compromise such as hashes, domains, wallet addresses, or mutexes. High-confidence characteristics directly supported by the content are that TridentLocker operates a Tor leak site, conducts data theft and public leak extortion, and is associated with ransomware attacks against government-related and other enterprise targets.

Ransomware.live

Operational record

View group record ↗

Reporting

Research mentioning TridentLocker

Jan 11
Securityaffairs

Security Affairs newsletter Round 558 by Pierluigi Paganini – INTERNATIONAL EDITION

“Sedgwick discloses data breach after TridentLocker ransomware attack”

Jan 8
Bank Info Security

Breach Roundup: Firewalls Headed for Obsolescence

Ransomware as a service group TridentLocker, which first surfaced online in November 2025, has claimed the breach. On its leak site, the group said it stole 3.39 gigabytes of data, or 2,497 files in total.

Jan 6
Cyber Security News

Sedgwick confirms Data Breach Following TridentLocker Ransomware Gang Claim

TridentLocker publicly listed SGS as a victim on New Year’s Eve, December 31, 2025, claiming to have exfiltrated 3.39 GB of documents and posting samples on its dark web leak site. The ransomware-as-a-service (RaaS) group, which emerged in late November 2025, employs double-extortion tactics, encrypting systems and threatening data leaks.

Jan 6
Cyberthrone

Sedgwick Discloses a Data Breach

TridentLocker operates as a ransomware-as-a-service (RaaS) group using double-extortion—encrypting data and threatening leaks. It has claimed 12 victims across manufacturing, government, IT, and professional services, targeting North America, Europe, China, and the UK.

Jan 6
Bleeping Computer

Sedgwick confirms breach at government contractor subsidiary

While the company didn't attribute the attack to a specific threat group, the statement confirms the TridentLocker ransomware group's claims that they breached the company. The threat actors say they've stolen 3.39 GB of documents and, since taking responsibility for the attack, they've also published some of the allegedly stolen data on their Tor data leak website.

Jan 5
Checkpoint Research

5th January - Threat Intelligence Report - Check Point Research

Sedgwick Government Solutions ... notified law enforcement and clients after the TridentLocker ransomware group claimed an attack on December 31.

Jan 5
Securityaffairs

Sedgwick discloses data breach after TridentLocker ransomware attack

TridentLocker is a ransomware-as-a-service (RaaS) operation that emerged in late November 2025. The group uses standard double-extortion tactics: encrypting systems and threatening to release exfiltrated data if ransoms aren’t paid.

Jan 2
The Record Media

Sedgwick confirms cyber incident affecting its major federal contractor subsidiary

On New Year’s Eve, the TridentLocker ransomware gang claimed it attacked Sedgwick Government Solutions and stole 3.4 gigabytes of data.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.