Ingram Micro Faces Alleged Breach by SafePay with Ransom Threat

 

As Ingram Micro is dealing with a widespread outage in its global technology distribution operations that appears to be directly linked to a ransomware attack by the cybercrime group SafePay, the company appears to be experiencing a significant disruption. The company has shut down internal systems due to the incident, which has affected the company's website and online ordering platform since Thursday, according to information obtained by BleepingComputer. 

Despite the fact that Ingram Micro is a major business-to-business technology distributor and service provider that offers hardware, software, cloud solutions, logistics, and training to resellers and managed service providers across the world, it has not yet been publicly confirmed what caused the disruption. According to a ransomware group known as SafePay, the group has issued an ultimatum to Ingram Micro, warning that it will publish 3.5 terabytes of allegedly stolen data unless they are paid a ransom by August 1st. 

Several prominent warning signs, along with a countdown clock, are prominently displayed on the leak site of the group, increasing the pressure on the California-based technology distributor to enter into negotiations with the group. During an ongoing investigation, Ingram Micro informed the public on 5 July of a ransomware attack, which resulted in certain internal systems being shut down as a precaution. 

SafePay did not confirm at that time that any data exfiltration occurred, but now, following the breach, the company claims responsibility and asserts that it has obtained a significant volume of sensitive corporate information. A security researcher has found code similarities to the LockBit ransomware family, suggesting a potential rebrand or offshoot. SafePay started causing threats in late 2024 to at least twenty organisations across different industries.

With the group operating under a double-extortion model, not only do they encrypt compromised systems, but they also threaten victims with leaking their data should they refuse to pay the ransom. In the course of investigating the incident, it has been determined that SafePay was responsible for orchestrating the attack, a comparatively new type of ransomware which emerged between September and November 2024. 

Ingram Micro had not attributed the attack to any specific threat actor. However, BleepingComputer has now discovered a link between the breach and the group that employs the double-extortion model, in which data is stolen and encrypted using system encryption, as well as claiming to have compromised more than 200 companies across a wide range of fields, including manufacturing, healthcare, and education. 

There has been some speculation that SafePay exploited vulnerabilities in the GlobalProtect VPN platform to gain access to the company and left ransom notes on the company's employee devices. As a result of the attack, Ingram Micro's AI-driven Xvantage distribution system, as well as its Impulse license provisioning platform, both critical components of the organisation's global operations, were reportedly affected by the hack.

According to Ingram Micro's announcement on July 5, a number of internal systems had been identified as infected with malicious software, following a ransomware attack. An immediate precautionary measure was taken by the company to secure its environment, including proactively taking down systems and implementing mitigation measures, and the company announced the following week that global operations were fully back to normal. 

There has been no mention of the stolen data, ransom demands, or who was responsible on the company's official incident update page or in its 8-K filing to the Securities and Exchange Commission, as of 7 July. Although the company has continued to acknowledge that it is actively investigating the scope of the incident and the nature of any data affected, it has opted not to comment further on it. 

Interestingly, however, the ransomware group SafePay—which claims responsibility for the intrusion—is more forthright, claiming that it has infected 3.5 terabytes of sensitive data and has set the public release deadline of 1 August 2025 if a ransom is not paid. Consequently, a countdown clock is displayed on their leak site stating that if the ransom is not paid, it will release the data publicly. 

As an intermediary in the supply chain for major technology vendors, Ingram Micro is the largest reseller and enterprise network in the world, servicing over 160,000 resellers and enterprise customers worldwide. There is a growing concern among security specialists that the exposure of partner agreements, customer records, and proprietary product information may have a far-reaching impact across the technology channel. 

From enabling targeted phishing attacks to eroding competitive advantages, the risks are extensive across the technology channel. According to industry consultants, organisations should take steps to strengthen access controls, enforce multifactor authentication, monitor for emerging vulnerabilities, and limit remote access to secured VPNs to prevent such threats. 

While Ingram Micro is still investigating the SafePay leak, the persistent countdown clock on the leak site indicates that no agreement has been reached, which makes it more likely for full disclosure of data to occur. If the claimed dataset is made available, vendors, resellers, and end users might have to reset their credentials on a large scale, prepare for targeted scams, and comply with any potential regulatory reporting requirements. 

Security researchers are then expected to examine these files for potential indicators of compromise and tactical insights that could mitigate similar attacks in the future, as well as the likelihood of these attacks occurring again. It was in a brief announcement published by Ingram Micro on a Sunday morning that they had been victimised by ransomware attacks, stating that malicious software was detected on several internal systems. 

During the investigation, the company reported that it took immediate steps to secure its environment, including the initiation of a proactive shutdown of the affected systems, the implementation of additional mitigation measures, the launch of an investigation with the assistance of leading cybersecurity experts, and the notification of authorities. 

Despite the inconvenience caused by Ingram Micro, the company has expressed its sincere apologies to customers, vendors, and partners, as well as a commitment to restoring affected systems so normal order processing and shipping can resume. Palo Alto Networks responded to reports suggesting that attackers had gained access via Ingram Micro's GlobalProtect VPN gateway on 7 Julyemphasisingng that the company was investigating the claims and emphasising that threat actors regularly infiltrate VPNs by using stolen credentials or misconfigured networks. 

It was reported that Ingram Micro had made great progress toward restoring transactional operations by 8 July. Subscription orders, renewals, and modifications had been processed globally again through its central support organisation, and customers across multiple countries, including the UK, Germany, France, Italy, Spain, Brazil, India, China, Portugal, and the Nordic countries, were accepting phone or email orders. 

There are still some restrictions that apply to hardware and technology orders. Sources also indicate that VPN access has been restored in certain regions. Palo Alto Networks later confirmed that none of the company's products were exploited or compromised by the breach. In spite og only operating for about a year, SafePay has established a substantial footprint in the cybercrime landscape, displaying 265 victims on the dark web leak site it has operated for. 

Having been identified in September 2024, this group is believed to have previously deployed LockBit ransomware, though it is unclear whether it is related to LockBit. The SafePay ransomware company claims it is different from many contemporary ransomware operations because it does not utilise affiliates to breach networks as a ransomware-as-a-service model. 

A report by Emsisoft’s Brett Callow indicates that this strategy, along with the preference for a low public profile of the group, may be the group’s attempt to avoid the intense scrutiny that law enforcement authorities have been paying for actions taken against other high-profile gangs in recent months. Among the most active ransomware actors worldwide, SafePay is ranked fourth behind Qilin, Akira, and Play in NCC Group's second quarter 2025 report. 

It has been estimated that this group is responsible for 70 attacks in May 2025 alone, which makes them the most active ransomware operators in the entire month. Ingram Micro and its global network of partners were impacted by the SafePay attack that led to a cascade of operational, financial and reputational consequences. It was reported that technology resellers, managed service providers, and vendors worldwide were unable to conduct transactions due to the downtime of digital commerce platforms, order processing systems, and cloud license provisioning systems. 

As a result of the disruption, hardware and cloud shipments slowed, and downstream partners sought alternate distribution channelsemphasisingng the central role large distributors play in supplying IT products. In the wake of the outage, industry analysts estimate that SafePay has lost up to $136 million in revenue per day, according to industry analysts. SafePay claims to have exfiltrated 3.5 terabytes of sensitive data, including financial, legal, and intellectual property. If its ransom demands are not met, it threatens public release. 

The prolonged downtime, along with limited communication from the company, caused criticism from both customers and industry observers. Experts believe that the incident underscores the vulnerable nature of VPNs and identity management systems, especially where multi-factor authentication is lacking, password security is not enforced, and timely patches aren't applied promptly. 

The report also reflects the increasing use of double-extortion tactics, which combine system encryption with the threat of sensitive data leaks to achieve double extortion. Thus, organisations must prepare not only for the restoration of services, but also for possible repercussions in terms of privacy and legality. Although Ingram Micro had restored global services on 30 July 2025, it remains under continuous extortion threat, and the company is still undergoing an extensive forensic investigation. 

As a result of the Ingram Micro incident, ransomware operations have become increasingly sophisticated and persistent, where a technical compromise is just the beginning of a broader campaign of intimidation and leverage. The tactics employed by SafePay—combining the operational paralysis of core systems with the looming threat of massive data loss—illustrate how modern cyberattacks are built to exert sustained pressure on victims for quite some time after initial containment measures have been completed. 

It has served as a reminder for global supply chain operators that security perimeters must extend far beyond traditional network defenses, including identity verification, remote access governance, and proactive vulnerability management, in addition to traditional network defenses. In light of the interconnected nature of modern information technology ecosystems, it is evident that disruptions can cause shockwaves across multiple industries and markets if a single node is disrupted. 

Several experts have noted that in the wake of high-profile supply chain breaches, threat actors are likely to be more focused on distributors and service aggregators, since they have extensive vendor and customer relationships, which have the potential to increase the impact of financial gains and reputational harm. It is also likely that regulatory bodies will examine these incidents with greater care, particularly where they involve the disclosure of sensitive partner information or customer information, which can result in broader compliance obligations as well as legal liabilities. 

Taking Ingram Micro to the next level will require not only the resolution of immediate security and operational issues, but also the rebuilding of trust with the vast network of customers and partners the company has cultivated. 

To reduce the long-term repercussions of the incident, it is crucial to be transparent in communications following the incident, to demonstrate security enhancements, and to collaborate with the industry to share intelligence on emerging threats. In the course of the investigation, it is likely to become an important reference point for cybersecurity strategy debates, as well as in shaping future policy aimed at protecting global supply chains against cybersecurity threats.