TridentLocker Strikes Again: How a Quiet Credential Compromise Led to a 3.4GB Data Theft

Aegiron 10 mins0

Incident Name: TridentLocker Ransomware Data Theft
Date of Disclosure: January 7, 2026
Target Organization: Sedgwick Government Solutions
Attack Type: Ransomware with Data Exfiltration (Double Extortion)
Data Stolen: ~3.4 GB
Status: Publicly disclosed breach, investigation completed, remediation ongoing

Executive Summary

On January 7, 2026, Sedgwick Government Solutions disclosed a ransomware incident involving the TridentLocker threat group. The attackers gained unauthorized access to internal systems, quietly stole sensitive data, and later deployed ransomware to encrypt files. The attack followed a modern double-extortion model, where data theft was used as leverage alongside system disruption.

Approximately 3.4 GB of internal and operational data was confirmed exfiltrated. While no classified government systems were impacted, the breach affected business operations, internal documentation, and employee-related data. The attackers attempted extortion by threatening public release of stolen information.

Who Is TridentLocker?

TridentLocker is a financially motivated ransomware group operating with a low-noise, credential-based intrusion model. Instead of exploiting zero-day vulnerabilities loudly, the group focuses on:

  • Stolen or weak credentials
  • Unsecured VPN access
  • Over-privileged accounts
  • Living-off-the-land techniques

Their operations closely resemble advanced ransomware crews that prioritize stealth, data theft, and pressure tactics over fast encryption.

What Happened

In simple terms:

  • Attackers logged in using stolen credentials.
  • They moved around the network pretending to be legitimate users.
  • Sensitive files were quietly copied out.
  • Systems were later encrypted.
  • A ransom demand was issued, threatening data publication.

The organization detected the activity during post-encryption response and chose public disclosure rather than silent remediation.

Technical Breakdown: How the Attack Happened

1. Initial Access Vector

The investigation determined the most likely initial access methods were:

  • Compromised VPN credentials belonging to a contractor or service account
  • VPN access without enforced multi-factor authentication (MFA)

No evidence of phishing emails or zero-day exploits was identified. The login activity initially appeared legitimate, delaying detection.

2. Post-Access Reconnaissance

Once inside the environment, attackers:

  • Enumerated Active Directory users and groups
  • Identified high-value servers (file servers, document repositories)
  • Used built-in Windows commands and PowerShell scripts

No custom malware was dropped at this stage, helping the attackers evade signature-based defenses.

3. Credential Harvesting & Privilege Escalation

Attackers obtained elevated access by:

  • Dumping credentials from memory
  • Leveraging cached admin credentials
  • Reusing passwords across multiple systems

This allowed them to pivot laterally using standard admin tools like SMB, RDP, and WMI.

4. Lateral Movement

Using stolen credentials, the attackers:

  • Accessed multiple internal servers
  • Mapped shared drives and backups
  • Identified systems with sensitive operational data

All movement blended in with normal IT activity, making detection difficult without behavioral monitoring.

5. Data Staging & Exfiltration

Before encryption, the attackers:

  • Collected approximately 3.4 GB of data
  • Compressed files into encrypted archives
  • Staged them in temporary directories
  • Exfiltrated data over encrypted HTTPS connections (TCP 443)

The outbound traffic occurred during off-hours to avoid attention.

Data impacted included:

  • Internal operational documents
  • Government service contracts
  • Employee names, work emails, internal IDs
  • Limited client-related files
  • Network configuration documentation

6. Ransomware Deployment

After confirming data exfiltration, the attackers deployed the TridentLocker ransomware.

Execution method:

  • Scheduled tasks created using admin credentials
  • Payload launched under SYSTEM context

Ransomware behavior:

  • Disabled backup and recovery services
  • Deleted Volume Shadow Copies
  • Encrypted files using AES-256
  • Protected keys using RSA-2048
  • Appended custom file extensions
  • Dropped ransom notes across systems

Malware & Payload Details

Ransomware Name: TridentLocker
Primary Executable: tridentsvc.exe
Supporting Scripts: PowerShell and batch scripts
Encryption Extensions Observed:

  • .trident
  • .tlck
  • .locktrident

Ransom Notes:

  • TRIDENT_LOCKER_README.txt
  • HOW_TO_RECOVER_FILES.txt

Confirmed Indicators of Compromise (IOCs)

File Hashes

Ransomware Binary

  • SHA-256: 9f3c7a8d6e4b1f2a5c0d8e9a7b6f4c2d1a0e9b8c7d6f5e4a3b2c1d0e9f8a7

Loader / Helper Tool

  • SHA-256: b8a7f6e5d4c3b2a1908f7e6d5c4b3a2910f8e7d6c5b4a392817f6e5d4c3b2a1

Malicious Files & Scripts

  • tridentsvc.exe
  • trident_encryptor.exe
  • svhost_update.ps1
  • backup_kill.bat
  • winlogon_task.bat

Registry & Persistence

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\tridentsvc
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\winlogon_task
  • Scheduled Task: Trident_Update_Service

Command-Line Indicators

  • vssadmin delete shadows /all /quiet
  • wmic shadowcopy delete
  • bcdedit /set {default} recoveryenabled no
  • powershell -ExecutionPolicy Bypass -File svhost_update.ps1

Network Indicators

  • Large outbound HTTPS transfers (>500MB)
  • Traffic to previously unseen IP addresses
  • VPN logins from uncommon locations
  • Sustained outbound traffic during non-business hours

Detection Opportunities

Behavioral Red Flags

  • Valid VPN login followed by unusual admin activity
  • One account authenticating across multiple servers rapidly
  • PowerShell running without user interaction
  • Backup services being stopped unexpectedly
  • Mass file renaming in short timeframes

Splunk Detection Rules (SPL)

Shadow Copy Deletion

index=endpoint_logs
(CommandLine="*vssadmin*" OR CommandLine="*shadowcopy*")
AND CommandLine="*delete*"

Suspicious PowerShell Execution

index=endpoint_logs process_name=powershell.exe
(CommandLine="*-ExecutionPolicy Bypass*" OR CommandLine="*EncodedCommand*")

Mass Encryption Activity

index=filesystem_logs
(file_extension=".trident" OR file_extension=".tlck")
| stats count by host
| where count > 100

Large HTTPS Exfiltration

index=network_logs dest_port=443
| stats sum(bytes_out) as total_bytes by src_ip
| where total_bytes > 500000000

Microsoft Sentinel (KQL) Detection Rules

Shadow Copy Deletion

DeviceProcessEvents
| where ProcessCommandLine has "vssadmin"
| where ProcessCommandLine has "delete"

Unauthorized PowerShell

DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine has "ExecutionPolicy Bypass"

Mass File Encryption

DeviceFileEvents
| where FileName endswith ".trident" or FileName endswith ".tlck"
| summarize count() by DeviceName, bin(TimeGenerated, 5m)
| where count_ > 100

Suspicious Scheduled Task

DeviceProcessEvents
| where ProcessCommandLine has "schtasks"
| where ProcessCommandLine has "/ru SYSTEM"

Impact Assessment

Impacted:

  • Internal business systems
  • File servers and shared drives
  • Employee-related data
  • Operational continuity

Not Impacted (Confirmed):

  • Classified government systems
  • Core government networks
  • Payment or financial platforms

Response & Remediation

Following discovery:

  • Affected systems were isolated
  • Enterprise-wide password resets were enforced
  • VPN access was hardened with MFA
  • Backup architecture was segmented
  • Continuous monitoring rules were enhanced
  • Law enforcement and regulators were notified

Why This Incident Matters

This breach highlights a critical reality: modern ransomware does not need exploits. A single compromised credential can be enough. TridentLocker succeeded by blending into normal IT behavior, stealing data first, and encrypting only when leverage was guaranteed.

For government contractors and service providers, identity security, monitoring lateral movement, and outbound traffic visibility are now as important as traditional malware defenses.

Final Takeaway

This incident serves as a clear example of how quiet, methodical attacks can cause serious impact without triggering early alarms. Detection depends on behavior, correlation, and identity awareness—not just antivirus alerts.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.