Ingram Micro Hit by SafePay Ransomware

Ingram Micro, a prominent global IT distributor, faced a severe ransomware attack attributed to the SafePay group, resulting in extensive system outages and operational disruptions. The attack, initiated on July 3, 2025, exploited vulnerabilities in the company’s GlobalProtect VPN platform, leading to significant delays in order processing and shipment. Ingram Micro has since restored operations, highlighting the critical need for robust cybersecurity measures in the IT distribution sector.

The Attack Unfolds

On July 3, 2025, Ingram Micro’s internal systems were compromised by the SafePay ransomware group, causing immediate disruptions across its global operations. Employees reported finding ransom notes on their devices, indicating the presence of the ransomware. The company responded swiftly by taking affected systems offline to contain the breach and prevent further damage.

Impact on Operations

The ransomware attack led to widespread outages, affecting Ingram Micro’s website, online ordering systems, and key platforms such as Xvantage and Impulse. These disruptions hindered the company’s ability to process and ship orders, causing delays for customers and partners worldwide. The attack also impacted licensing services, including those for Microsoft 365 and Dropbox, further complicating the company’s recovery efforts.

Explore the data solution with built-in protection against ransomware TrueNAS.

Response and Recovery

Ingram Micro’s response to the attack was prompt and coordinated. The company engaged third-party cybersecurity experts and law enforcement to investigate the incident and mitigate its effects. Within days, Ingram Micro began restoring its systems, prioritizing the resumption of order processing and shipment capabilities. By July 10, 2025, the company reported full restoration of global operations, emphasizing the resilience of its Xvantage platform in facilitating a rapid recovery.

The SafePay Ransomware Group

The SafePay group, responsible for the attack, is a relatively new but highly active ransomware operation. Unlike many ransomware-as-a-service models, SafePay conducts all phases of its attacks independently, including initial compromise, data exfiltration, and ransom negotiations. This approach makes the group particularly formidable, as it maintains full control over the attack process, increasing the complexity of defense and mitigation efforts.

Broader Implications

The Ingram Micro incident underscores the vulnerabilities present in the IT distribution sector and the critical importance of robust cybersecurity measures. As a key player in the global supply chain, Ingram Micro’s downtime had cascading effects, delaying hardware deliveries, cloud subscriptions, and enterprise deployments. The attack highlights the need for organizations to implement comprehensive security protocols, conduct regular vulnerability assessments, and develop effective incident response strategies to mitigate the risks associated with cyber threats.

Lessons Learned

The Ingram Micro ransomware attack serves as a stark reminder of the evolving threat landscape and the necessity for continuous vigilance. Organizations must prioritize cybersecurity by investing in advanced threat detection systems, ensuring timely patch management, and fostering a culture of security awareness among employees. Additionally, establishing clear communication channels with customers and partners during incidents is crucial to maintain trust and facilitate coordinated recovery efforts.

References

• Ingram Micro cyber attack: IT distributor says system restoration underway – but some customers might have to wait for a return to normality. ITPro. July 11, 2025. (itpro.com)

• Ingram Micro confirms ransomware attack after days of downtime. CSO Online. July 8, 2025. (csoonline.com)

• Ingram Micro Restores All Business Operations Globally After Ransomware Attack. CRN. July 9, 2025. (crn.com)

• Ingram Micro Hit by SafePay Ransomware — Major Recovery Effort Underway. Critical Path Security. July 7, 2025. (criticalpathsecurity.com)

• Ingram Micro Legacy Systems Outage: How the SafePay Ransomware Attack Disrupted Global Supply Chain Operations. Rescana. July 7, 2025. (rescana.com)