Everything we know about the Ingram Micro cyber attack so far
The ransomware attack on Ingram Micro has been claimed by the rapidly-expanding SafePay group
Ingram Micro has been hit by a cyber attack believed to have been carried out by the SafePay ransomware group.
The attack, which took place last week, disrupted the IT distributor's systems and affected deliveries in Europe, the US, and Asia.
In a statement confirming the incident, Ingram Micro said it identified ransomware on “certain” internal systems and is working to limit disruption.
"Promptly after learning of the issue, the company took steps to secure the relevant environment, including proactively taking certain systems offline and implementing other mitigation measures," the company said.
"The company also launched an investigation with the assistance of leading cybersecurity experts and notified law enforcement."
The attack has been claimed by the SafePay ransomware group, according to reports from Bleeping Computer, which said it's believed that the group breached the firm through its GlobalProtect virtual private network (VPN) platform.
"Your IT specialists made a number of mistakes in setting up the security of your corporate network, so we were able to spend quite a long period of time in it and compromise you," the group said in a ransom note seen by the publication.
SafePay claims to have accessed data including financial information, intellectual property, accounting records, personal and customer files, bank details, transactions, and information pertaining to lawsuits and complaints.
"We are suggesting a mutually beneficial solution to the issue. You submit a contact request and we keep the fact that your network has been compromised a secret, delete all your data and provide you with the key to decrypt all your data," it said.
"We are not a politically motivated group and want nothing more than monetary reward. Provided you pay, we will honour all the terms we agreed to during the negotiation process."
Ingram Micro the latest in a string of SafePay attacks
SafePay first emerged last September, but has been highly active since. Analysis from Quorum Cyber, for example, rated it as the fourth most active group globally in March this year, posting 43 confirmed victims to its dark web Data Leak Site (DLS).
The group has previous recorded attacks using VPNs or Remote Desktop Protocol credentials. These are typically obtained through ‘stealware’ malware or through purchases from dark web marketplaces.
So far, SafePay has focused its attention mainly on targets in the US, Germany, and the UK, with attacks against the US and Germany often carried out in large waves, with ten or more per day.
Separate analysis from Cyble shows the group targets a wide range of sectors, focusing heavily on healthcare and education, but with other victims in government, finance, and IT.
In May, Cyble said it was the most active ransomware group in the world, with 58 claimed victims.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- A major ransomware hosting provider just got hit US with sanctions
- The new ransomware groups worrying security researchers in 2025
- Ransomware victims are getting better at haggling with hackers
-
Mistral CEO Arthur Mensch thinks 50% of SaaS solutions could be supplanted by AINews Mensch’s comments come amidst rising concerns about the impact of AI on traditional software
-
Westcon-Comstor and UiPath forge closer ties in EU growth driveNews The duo have announced a new pan-European distribution deal to drive services-led AI automation growth
-
Ransomware gangs are using employee monitoring software as a springboard for cyber attacksNews Two attempted attacks aimed to exploit Net Monitor for Employees Professional and SimpleHelp
-
Ransomware gangs are sharing virtual machines to wage cyber attacks on the cheap – but it could be their undoingNews Thousands of attacker servers all had the same autogenerated Windows hostnames, according to Sophos
-
Google issues warning over ShinyHunters-branded vishing campaignsNews Related groups are stealing data through voice phishing and fake credential harvesting websites
-
The FBI has seized the RAMP hacking forum, but will the takedown stick? History tells us otherwiseNews Billing itself as the “only place ransomware allowed", RAMP catered mainly for Russian-speaking cyber criminals
-
Everything we know so far about the Nike data breachNews Hackers behind the WorldLeaks ransomware group claim to have accessed sensitive corporate data
-
There’s a dangerous new ransomware variant on the block – and cyber experts warn it’s flying under the radarNews The new DeadLock ransomware family is taking off in the wild, researchers warn
-
Hacker offering US engineering firm data online after alleged breachNews Data relating to Tampa Electric Company, Duke Energy Florida, and American Electric Power was allegedly stolen
-
Cybersecurity experts face 20 years in prison following ransomware campaignTwo men used their tech expertise to carry out ALPHV BlackCat ransomware attacks
