TridentLocker is a ransomware-as-a-service (RaaS) operation that emerged in late November 2025. It uses double-extortion tactics, encrypting victim systems and threatening to leak exfiltrated data if ransom demands are not met. The group has been described as a ransomware gang and has also referred to itself as a data broker. Reported behavior includes data exfiltration over web protocols and encryption for impact. Since surfacing, TridentLocker has claimed roughly 12 victims on its Tor-based leak site across manufacturing, government, IT, and professional services, with targeting reported in North America, Europe, China, and the UK.
Victims directly mentioned in the content include Sedgwick Government Solutions and Belgian postal service bpost. In the Sedgwick Government Solutions incident, TridentLocker claimed to have stolen approximately 3.39-3.4 GB of documents from an isolated file transfer system and published samples on its dark web/Tor leak site. Sedgwick stated there was no evidence of access to claims management servers and no broader impact on the parent company’s network. In the bpost incident, TridentLocker claimed responsibility for exfiltrating 5,140 files totaling about 30.46 GB from a third-party exchange platform; the stolen data reportedly included personal and business information of some customers of the affected department.
The content does not provide a detailed technical infection chain, specific malware family internals, or concrete indicators of compromise such as hashes, domains, wallet addresses, or mutexes. High-confidence characteristics directly supported by the content are that TridentLocker operates a Tor leak site, conducts data theft and public leak extortion, and is associated with ransomware attacks against government-related and other enterprise targets.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware implicated in an attack leading to a disclosed data breach at Sedgwick.
Ransomware-as-a-service group that exfiltrates and encrypts data, then extorts victims by threatening to leak stolen information.
TridentLocker is a ransomware-as-a-service (RaaS) group that uses double-extortion tactics, encrypting victim systems and threatening to leak exfiltrated data. It has targeted organizations in government, manufacturing, IT, and professional services, primarily in North America and Europe, since its emergence in late November 2025.
TridentLocker is a ransomware family launched in late November 2025, operating as a RaaS group. It uses double-extortion tactics, encrypting victim data and threatening to leak stolen information unless a ransom is paid.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.