Everything we know about the Ingram Micro cyber attack so far
The ransomware attack on Ingram Micro has been claimed by the rapidly-expanding SafePay group
Ingram Micro has been hit by a cyber attack believed to have been carried out by the SafePay ransomware group.
The attack, which took place last week, disrupted the IT distributor's systems and affected deliveries in Europe, the US, and Asia.
In a statement confirming the incident, Ingram Micro said it identified ransomware on “certain” internal systems and is working to limit disruption.
"Promptly after learning of the issue, the company took steps to secure the relevant environment, including proactively taking certain systems offline and implementing other mitigation measures," the company said.
"The company also launched an investigation with the assistance of leading cybersecurity experts and notified law enforcement."
The attack has been claimed by the SafePay ransomware group, according to reports from Bleeping Computer, which said it's believed that the group breached the firm through its GlobalProtect virtual private network (VPN) platform.
"Your IT specialists made a number of mistakes in setting up the security of your corporate network, so we were able to spend quite a long period of time in it and compromise you," the group said in a ransom note seen by the publication.
SafePay claims to have accessed data including financial information, intellectual property, accounting records, personal and customer files, bank details, transactions, and information pertaining to lawsuits and complaints.
"We are suggesting a mutually beneficial solution to the issue. You submit a contact request and we keep the fact that your network has been compromised a secret, delete all your data and provide you with the key to decrypt all your data," it said.
"We are not a politically motivated group and want nothing more than monetary reward. Provided you pay, we will honour all the terms we agreed to during the negotiation process."
Ingram Micro the latest in a string of SafePay attacks
SafePay first emerged last September, but has been highly active since. Analysis from Quorum Cyber, for example, rated it as the fourth most active group globally in March this year, posting 43 confirmed victims to its dark web Data Leak Site (DLS).
The group has previous recorded attacks using VPNs or Remote Desktop Protocol credentials. These are typically obtained through ‘stealware’ malware or through purchases from dark web marketplaces.
So far, SafePay has focused its attention mainly on targets in the US, Germany, and the UK, with attacks against the US and Germany often carried out in large waves, with ten or more per day.
Separate analysis from Cyble shows the group targets a wide range of sectors, focusing heavily on healthcare and education, but with other victims in government, finance, and IT.
In May, Cyble said it was the most active ransomware group in the world, with 58 claimed victims.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- A major ransomware hosting provider just got hit US with sanctions
- The new ransomware groups worrying security researchers in 2025
- Ransomware victims are getting better at haggling with hackers
-
US gov makes $2bn investment in domestic quantum firmsNews The Department of Commerce says it wants to strengthen the country's presence in this critical technology sector
-
Data center industry faces ticking power time bombNews Technical and regulatory hurdles make colocation unscalable for most developers, Wood Mackenzie has warned
-
Instructure chose to a pay ransom following the Canvas cyber attack – research shows more than half of security leaders would follow suitAnalysis Opting to pay ransoms creates huge risks for enterprises – you’re relying on the word of criminals
-
Ransomware negotiator sentenced for role in major cyber crime groupNews Deniss Zolotarjovs was a key player in a group associated with Conti
-
Threat actors ditch ‘spray and pray’ attacks in shift to targeted exploitationNews A dip in ransomware volumes points to a more targeted approach focused on vulnerability exploitation
-
Security leaders overconfident about ransomware recoveryNews Few manage to recover all their data, and many experience business disruption
-
German authorities want your help finding the hackers behind GandCrab and REvilNews Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk are believed to have made millions from ransomware as a service schemes
-
The rise of teen hackers ‘makes for a good headline’, but cyber crime activities peak later in life
News With family responsibilities and mortgages to pay, it's not teenagers dishing out malware or carrying out cyber extortion
-
Ransomware gangs are using employee monitoring software as a springboard for cyber attacks
News Two attempted attacks aimed to exploit Net Monitor for Employees Professional and SimpleHelp
-
Ransomware gangs are sharing virtual machines to wage cyber attacks on the cheap – but it could be their undoingNews Thousands of attacker servers all had the same autogenerated Windows hostnames, according to Sophos
