Sedgwick Government Solutions Ransomware Incident (linked to TridentLocker)

Written By CyberDax

BLUF

A third-party file transfer system used by Sedgwick Government Solutions, a contractor for U.S. government agencies, was compromised by the TridentLocker ransomware group, leading to data theft from government clients.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by third-party file transfer system compromise and ransomware-driven data exfiltration:

  • Low-end total cost: $2.2M – $2.8M
    (Rapid containment, limited data scope, minimal regulatory escalation)

  • Typical expected range: $3M – $4.5M
    (Confirmed exfiltration, multi-agency notifications, sustained recovery effort)

  • Upper-bound realistic scenarios: $5M – $7M
    (Extended regulatory scrutiny, contractual disputes, insurance premium escalation)

Key cost driver:

Costs are driven less by system encryption itself and more by loss of trust in third-party data handling controls. Confirmed data exfiltration from a government-facing vendor forces organizations to invest heavily in forensic assurance, regulatory coordination, and long-term risk governance, extending financial impact well beyond initial incident response.

Targeted Sectors

·         Government (specifically U.S. government agencies)

·         Insurance

·         Business Services.

Countries

United States.

Date of first reported activity

·         Early January 2026, the initial compromise date is unspecified

Date of last reported activity update

·         January 6-7, 2026

APT names

·         This has not been associated with an APT group

Associated criminal organization names

·         TridentLocker ransomware group

IOCs

Specific IOCs were not publicly detailed in the general news reports.

Network-based IOCs:

·         Unusual outbound network traffic, especially a high volume of data to unknown or suspicious external IP addresses/domains (indicating data exfiltration).

·         Anomalous Domain Name System (DNS) requests, particularly to known malicious domains or involving DNS tunneling.

·         Connections to IP addresses and domains associated with the Tor network, as the group uses a Tor-based leak site.

Host-based IOCs:

·         Presence of unknown or unauthorized executable files (e.g., the ransomware payload).

·         Suspicious changes to system files or registry entries.

·         Unauthorized software installations on systems.

·         Unusual CPU, memory, or network resource usage spikes.

Behavioral IOCs:

·         Anomalies in privileged user account activity, such as attempts to escalate privileges or access data outside normal patterns.

·         A large number of failed login attempts, potentially indicating a brute-force attack.

·         Activity from unexpected geographical locations.

 

Tools used in campaign: Ransomware (TridentLocker), file transfer system exploit (specifics not disclosed).

CVEs and CVSS Vectors

·         There have not been any CVEs associated with this campaign

Nessus ID:

·         There have not been any CVEs associated with this campaign

Patching/Mitigation data

securing third-party file transfer systems

Robust vendor risk management.

Malware names

·         TridentLocker ransomware

Malware samples

As a reminder the heuristic behavior of the malware should be what is hunted on. hashes, domains, etc. tend to be dynamic and will usually be different for each target, attack and can be different within the same attack.

sha256

579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

URL link to sample

·         hxxps://www.virustotal.com/gui/file/579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

Likely associated TTPs

Based on incident reports and known behaviors of the TridentLocker group, the following Tactics, Techniques, and Procedures (TTPs) are associated with this event:

·         T1190 Exploit Public-Facing Application

o   The group compromised an isolated file transfer system to gain access.

·         T1659 Content Impersonation

o   In related campaigns during this period, attackers used fake software installers to deploy malware.

·         T1078 Valid Accounts

o   Threat actors often exploit weak or reused credentials sourced from the dark web for initial access.

·         T1020 Automated Exfiltration

o   The group successfully exfiltrated 3.39 GB of data before public disclosure.

·         T1486 Data Encrypted for Impact

o   As a ransomware operation, TridentLocker utilizes encryption to pressure victims.

·         T1652 Device Cloud Fleet Management

o   TridentLocker operates as a "data broker" and ransomware group, utilizing double extortion tactics to leak data on Tor-based sites.

·         T1567 Exfiltration Over Web Service

o   Sensitive data was published to a dedicated Tor data leak website for extortion purposes.

Suggested rules / potential hunts

Suricata

Exfiltration to File-Sharing Services

TridentLocker frequently uses legitimate file-hosting sites to stage stolen data.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"SUSPICIOUS TridentLocker Exfiltration - Possible File Upload"; content:"POST"; http_method; content:".zip"; http_uri; content:"upload"; http_uri; classtype:policy-violation; sid:2026001; rev:1;)

 

Tor Data Leak Site Traffic

TridentLocker utilizes Tor for its leak site communication.

alert tcp $HOME_NET any -> $EXTERNAL_NET [9001,9030] (msg:"ET POLICY Tor Onion Routing Traffic Observed (Potential TridentLocker C2)"; flow:to_server,established; flags:S; threshold:type limit, track by_src, count 1, seconds 600; reference:url,

SentinelOne

VSS Admin Shadow Copy Deletion

A hallmark of TridentLocker to prevent system recovery.

EventType = "Process Creation" AND (CmdLine CONTAINS "vssadmin.exe" AND CmdLine CONTAINS "delete shadows") OR (CmdLine CONTAINS "wmic" AND CmdLine CONTAINS "shadowcopy" AND CmdLine CONTAINS "delete")

Unusual File Transfer Activity

Since the Sedgwick attack targeted file transfer systems, monitor for notepad or shell-based discovery of sensitive files.

EventType = "File Open" AND ProcessName = "notepad.exe" AND (FilePath CONTAINS "password" OR FilePath CONTAINS "credential") AND ParentProcessName = "explorer.exe"

Splunk

Mass File Rename/Extension Changes

Detect the encryption phase where files are appended with a new extension.

splunk

index=windows_logs sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11

| stats count by TargetFilename, Image

| where count > 100

| rename Image as "Process_Responsible"

 

Suspicious RDP Inbound Traffic

Hunt for lateral movement often seen before ransomware execution.

index=network_logs (dest_port=3389 OR service=rdp)

| stats dc(dest_ip) as unique_destinations by src_ip

| where unique_destinations > 5

| table src_ip, unique_destinations

Use code with caution.

Delivery method

·         Initial access likely via a compromised third-party file transfer system or stolen credentials.

Email samples

·         No samples publicly disclosed.

References

SC Media

·         hxxps://www.scworld.com/brief/cyberattack-against-sedgwicks-federal-contractor-subsidiary-confirmed

Security Affairs

·         hxxps://securityaffairs.com/186525/data-breach/sedgwick-discloses-data-breach-after-tridentlocker-ransomware-attack.html

Bleeping computer

·         hxxps://www.bleepingcomputer.com/news/security/sedgwick-confirms-breach-at-government-contractor-subsidiary/

The Record by Recorded Future

·         hxxps://therecord.media/sedgwick-cyber-incident-ransomware

VirusTotal

·         hxxps://www.virustotal.com/gui/file/579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

CyberDax
Previous

CVE-2026-0625 D-Link Discontinued Devices
Next

CVE-2025-68668 exploitation of n8n Python Code Node Flaw