Executive Summary

On January 4, 2026, claims administration firm Sedgwick confirmed a ransomware attack against its subsidiary, Sedgwick Government Solutions (SGS). The incident, claimed by the new TridentLocker ransomware group, involved the exfiltration of 3.4 GB of data from a file transfer system. While Sedgwick reports that its primary corporate network and claims management servers were not affected due to network segmentation, the breach poses a significant supply chain risk. SGS is a critical federal contractor serving numerous U.S. government agencies, including the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). This attack underscores the vulnerability of government supply chains to emerging ransomware threats.

Threat Overview

The attack was claimed on New Year's Eve by TridentLocker, a relatively new ransomware-as-a-service (RaaS) group that first appeared in late November 2025. The group employs a double-extortion model, combining data encryption with the threat of leaking stolen information. In this case, TridentLocker posted samples of stolen documents on its dark web leak site to validate its claim of exfiltrating 3.4 GB of data. The initial access vector targeted an "isolated file transfer system" within SGS, suggesting a potential vulnerability or compromised credential related to that specific environment. The targeted organization, SGS, provides claims and risk management services to a sensitive portfolio of clients, including DHS, ICE, CBP, the Department of Labor, and the Smithsonian Institution.

Technical Analysis

The attack pattern is characteristic of modern ransomware operations focusing on data exfiltration prior to encryption. The threat actor, TridentLocker, likely gained initial access through a compromised account or an exploited vulnerability on the internet-facing file transfer system.

MITRE ATT&CK Techniques

• Initial Access: Likely T1078 - Valid Accounts or T1190 - Exploit Public-Facing Application targeting the file transfer system.
• Collection: T1560 - Archive Collected Data, where attackers compress data before exfiltration. The 3.4 GB figure suggests a staged and compressed data package.
• Exfiltration: T1567.002 - Exfiltration to Cloud Storage or a similar web-based service to move the stolen data out of the network.
• Impact: T1486 - Data Encrypted for Impact is the primary goal of ransomware, though the report focuses on exfiltration. T1485 - Data Destruction is also a possibility if files are deleted after encryption. The public leak threat corresponds to T1657 - Financial Cryptography.

Impact Assessment

The primary impact is the significant supply chain risk to the U.S. government. The exfiltrated data, although limited to 3.4 GB, could contain sensitive information related to federal contracts, claims processing, or personally identifiable information (PII) of government employees. A breach at a contractor like SGS can provide adversaries with intelligence on government operations, personnel, or security postures. Even if core claims systems were not breached, the reputational damage to Sedgwick is substantial. The incident forces SGS's high-profile government clients to assess their own exposure and the security of their third-party vendors, potentially leading to contract reviews and heightened scrutiny.

Cyber Observables for Detection

Security teams should hunt for the following activities, which are common in such attacks:

Detection & Response

Detection:

1. Network Traffic Analysis: Implement solutions (D3-NTA) to monitor for large, unexpected outbound data transfers, especially from systems like file servers or transfer appliances that hold sensitive data. Set alerts for transfers exceeding a baseline threshold.
2. Log Monitoring: Aggregate and analyze logs from file transfer systems. Look for patterns of enumeration, multiple failed logins followed by a success, or access from non-standard IP addresses.
3. Endpoint Detection and Response (EDR): Deploy EDR agents on servers, including file transfer systems, to detect ransomware behaviors such as rapid file modification, shadow copy deletion (vssadmin), and the execution of suspicious archiving or exfiltration tools.

Response:

• Isolate the compromised system from the network immediately to prevent lateral movement, as Sedgwick did.
• Activate the incident response plan, including engaging third-party forensic experts.
• Preserve logs and system images for investigation.
• Review access logs for the compromised system to identify the full scope of data accessed.

Mitigation

Strategic:

• Third-Party Risk Management: Continuously assess the security posture of all critical third-party vendors and supply chain partners.
• Network Segmentation: Implement and maintain robust network segmentation (D3-NI) to isolate critical systems and prevent a breach in one area from spreading. Sedgwick's segmentation was a key mitigating factor.
• Data Encryption: Encrypt sensitive data at rest and in transit to reduce the impact of an exfiltration event.

Tactical:

• Harden Public-Facing Systems: Secure all internet-facing systems, including file transfer appliances, by applying patches promptly, disabling unnecessary services, and using strong, unique credentials.
• Multi-Factor Authentication (MFA): Enforce MFA (D3-MFA) on all external access points, including VPNs and file transfer portals.
• Immutable Backups: Maintain offline and immutable backups of critical data to ensure recovery without paying a ransom.