Global IT distribution giant Ingram Micro has confirmed it suffered a ransomware attack after a days-long service outage that disrupted its core operations, including order processing and communications.
The attackers have been identified as the SafePay ransomware gang, a rapidly growing cybercriminal group active since late 2024.
The cyberattack began in the early hours of Thursday, July 3. Employees discovered ransom notes left on compromised systems, signaling a large-scale breach. The company remained silent about the nature of the incident for several days, issuing its first official statement only on Sunday, July 6, acknowledging that ransomware had been found on its internal systems. Ingram Micro stated it immediately shut down affected environments, disconnected certain systems, and launched an investigation with assistance from external cybersecurity experts. Law enforcement has also been notified.
Initial signs of trouble appeared mid-week when customers reported on Reddit that Ingram Micro's website and backend systems had become inaccessible. Many experienced unresponsive phone lines, failed email communications, and unconfirmed rumors of a potential cyberattack. According to one user claiming to work at an Ingram Micro facility, internet connectivity and internal monitoring platforms were abruptly taken offline, leading employees to suspect a widespread ransomware event. Another claimed internal whispers pointed to a network compromise, possibly via a malicious software download.
Ingram Micro, listed on the NYSE under the ticker INGM, is a central player in the global IT supply chain. The company provides distribution, logistics, and lifecycle services for hardware and cloud products, with a reach spanning over 90% of the global population. Its AI-driven Xvantage™ platform and Impulse licensing portal form a critical part of daily operations for thousands of resellers and managed service providers worldwide.
The attack impacted several of these systems. According to BleepingComputer, citing insider sources, the AI-powered Xvantage platform and the Impulse license provisioning tool were rendered non-functional, while productivity platforms such as Microsoft 365, Teams, and SharePoint reportedly remained operational. Sources suggest that Ingram Micro's GlobalProtect VPN may have been the point of entry, with threat actors leveraging compromised credentials or password-spraying techniques to infiltrate the network, a method consistent with SafePay's known tactics.
SafePay, the ransomware group behind the breach, is a relatively new but aggressive actor in the ransomware space. First observed in November 2024, it has claimed over 220 victims globally. The gang often uses generic ransom note language that boasts of data exfiltration, though it remains unclear whether any sensitive data was actually stolen in this attack. As of now, Ingram Micro has not confirmed any data breach or exfiltration.
Despite the company's efforts to restore operations, many users and partners remain frustrated over the lack of transparency and prolonged downtime. Some customers, especially cloud service providers that depend on license provisioning through Ingram Micro, voiced concerns about potential downstream impacts, particularly if administrative access to Microsoft 365 tenants had been compromised.
Leave a Reply