Ingram Micro acknowledges ransomware as the cause of prolonged service interruption
In a significant cybersecurity incident, global distributor Ingram Micro is currently working to restore its systems following a ransomware attack by the SafePay ransomware crew. The attack, confirmed on July 3, 2025, has disrupted the company's internal systems and customer-facing services, causing operational disruption that lasted approximately 48 hours.
The incident was first detected on July 3, 2025, at around 8:00 AM Eastern Time, following anomalous network activity. Upon discovery, Ingram Micro promptly secured the affected environment by taking certain systems offline and applying mitigation measures. The company engaged leading cybersecurity experts to conduct a thorough investigation and involved law enforcement authorities. Recovery efforts included emergency patching, system isolation to prevent lateral spread, and progressive restoration of services.
The SafePay ransomware crew has claimed responsibility for the attack and is demanding money from Ingram Micro within seven days. It is suspected that SafePay may have entered Ingram's systems via its GlobalProtect VPN platform, but this remains unconfirmed. The ransomware attack has affected Ingram Micro's internal systems and customer-facing services, including the recently launched Xvantage distribution platform, which uses AI for quote creation, order management, and real-time tracking.
The outage has hindered the ability to process and ship orders, causing potential significant financial losses. Based on the company's Q1 2025 revenue, it is estimated that over $136 million in sales could be lost for each day of downtime. Ingram Micro has notified customers, vendors, and stakeholders about the disruption and has maintained communication throughout the incident, issuing apologies for the inconvenience caused.
Graham Cluely, Fortra's cybercrime researcher, advises organizations to enforce multi-factor authentication on all remote access points, disable unused RDP or VPN access, and use IP allowlists or geofencing where possible to prevent ransomware attacks like SafePay. SafePay was the most active ransomware crew in the world in May, according to threat intelligence service Fortra.
The SafePay ransomware crew has threatened to publish encrypted data on the web if their demands are not met. The ransom note from the SafePay criminals claims that they accessed sensitive and confidential information, including financial statements, intellectual property, accounting records, lawsuits and complaints, personal and customer files, bank details, transactions, and more.
Ingram Micro remains silent about the issue, with no official comment as of July 4 at 3pm UTC amid an "ongoing system outage." It is reported that staff at Ingram's Bulgaria-based service center were sent home on July 4 and asked to keep their laptops disconnected as systems were turned off.
As the investigation continues, Ingram Micro and the cybersecurity community will be closely monitoring the situation and the actions of the SafePay ransomware crew. The company's coordinated response, involving rapid detection, containment, expert investigation, and phased recovery, demonstrates a commitment to addressing the incident and resuming global supply chain operations.
- The cybersecurity experts, who have been engaged by Ingram Micro, are focusing on analyzing the vulnerability that potentially allowed the SafePay ransomware to infiltrate the company's GlobalProtect VPN platform.
- To bolster its security measures, Ingram Micro may consider implementing advanced AI-driven security solutions to identify and thwart future threats, as demonstrated by the Xvantage distribution platform's AI capabilities.
- With the disruption caused by the ransomware attack, Ingram Micro may find it beneficial to invest in robust cloud-based storage and disaster recovery systems, ensuring business continuity in the event of future cybersecurity incidents.
- In light of the ongoing attack, data-and-cloud-computing providers must reinforce their security measures, especially to protect against ransomware like SafePay, to maintain the trust and service uptime expected by their clients worldwide.
