Everything we know about the Ingram Micro cyber attack so far

Ransomware concept image showing skull and cross bones on a computer chip sitting on a circuit board.

(Image credit: Getty Images)

published 7 July 2025

Ingram Micro has been hit by a cyber attack believed to have been carried out by the SafePay ransomware group.

The attack, which took place last week, disrupted the IT distributor's systems and affected deliveries in Europe, the US, and Asia.

In a statement confirming the incident, Ingram Micro said it identified ransomware on “certain” internal systems and is working to limit disruption.

"Promptly after learning of the issue, the company took steps to secure the relevant environment, including proactively taking certain systems offline and implementing other mitigation measures," the company said.

"The company also launched an investigation with the assistance of leading cybersecurity experts and notified law enforcement."

The attack has been claimed by the SafePay ransomware group, according to reports from Bleeping Computer, which said it's believed that the group breached the firm through its GlobalProtect virtual private network (VPN) platform.

"Your IT specialists made a number of mistakes in setting up the security of your corporate network, so we were able to spend quite a long period of time in it and compromise you," the group said in a ransom note seen by the publication.

SafePay claims to have accessed data including financial information, intellectual property, accounting records, personal and customer files, bank details, transactions, and information pertaining to lawsuits and complaints.

"We are suggesting a mutually beneficial solution to the issue. You submit a contact request and we keep the fact that your network has been compromised a secret, delete all your data and provide you with the key to decrypt all your data," it said.

"We are not a politically motivated group and want nothing more than monetary reward. Provided you pay, we will honour all the terms we agreed to during the negotiation process."

Ingram Micro the latest in a string of SafePay attacks

SafePay first emerged last September, but has been highly active since. Analysis from Quorum Cyber, for example, rated it as the fourth most active group globally in March this year, posting 43 confirmed victims to its dark web Data Leak Site (DLS).

The group has previous recorded attacks using VPNs or Remote Desktop Protocol credentials. These are typically obtained through ‘stealware’ malware or through purchases from dark web marketplaces.

So far, SafePay has focused its attention mainly on targets in the US, Germany, and the UK, with attacks against the US and Germany often carried out in large waves, with ten or more per day.

Separate analysis from Cyble shows the group targets a wide range of sectors, focusing heavily on healthcare and education, but with other victims in government, finance, and IT.

In May, Cyble said it was the most active ransomware group in the world, with 58 claimed victims.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

TOPICS

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.