Everything we know about the Ingram Micro cyber attack so far
The ransomware attack on Ingram Micro has been claimed by the rapidly-expanding SafePay group
Ingram Micro has been hit by a cyber attack believed to have been carried out by the SafePay ransomware group.
The attack, which took place last week, disrupted the IT distributor's systems and affected deliveries in Europe, the US, and Asia.
In a statement confirming the incident, Ingram Micro said it identified ransomware on “certain” internal systems and is working to limit disruption.
"Promptly after learning of the issue, the company took steps to secure the relevant environment, including proactively taking certain systems offline and implementing other mitigation measures," the company said.
"The company also launched an investigation with the assistance of leading cybersecurity experts and notified law enforcement."
The attack has been claimed by the SafePay ransomware group, according to reports from Bleeping Computer, which said it's believed that the group breached the firm through its GlobalProtect virtual private network (VPN) platform.
"Your IT specialists made a number of mistakes in setting up the security of your corporate network, so we were able to spend quite a long period of time in it and compromise you," the group said in a ransom note seen by the publication.
SafePay claims to have accessed data including financial information, intellectual property, accounting records, personal and customer files, bank details, transactions, and information pertaining to lawsuits and complaints.
"We are suggesting a mutually beneficial solution to the issue. You submit a contact request and we keep the fact that your network has been compromised a secret, delete all your data and provide you with the key to decrypt all your data," it said.
"We are not a politically motivated group and want nothing more than monetary reward. Provided you pay, we will honour all the terms we agreed to during the negotiation process."
Ingram Micro the latest in a string of SafePay attacks
SafePay first emerged last September, but has been highly active since. Analysis from Quorum Cyber, for example, rated it as the fourth most active group globally in March this year, posting 43 confirmed victims to its dark web Data Leak Site (DLS).
The group has previous recorded attacks using VPNs or Remote Desktop Protocol credentials. These are typically obtained through ‘stealware’ malware or through purchases from dark web marketplaces.
So far, SafePay has focused its attention mainly on targets in the US, Germany, and the UK, with attacks against the US and Germany often carried out in large waves, with ten or more per day.
Separate analysis from Cyble shows the group targets a wide range of sectors, focusing heavily on healthcare and education, but with other victims in government, finance, and IT.
In May, Cyble said it was the most active ransomware group in the world, with 58 claimed victims.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- A major ransomware hosting provider just got hit US with sanctions
- The new ransomware groups worrying security researchers in 2025
- Ransomware victims are getting better at haggling with hackers
-
Nearly half of software developers don’t check AI-generated codeNews A concerning number of developers are failing to check AI-generated code, exposing enterprises to huge security threats
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
-
Hacker offering US engineering firm data online after alleged breachNews Data relating to Tampa Electric Company, Duke Energy Florida, and American Electric Power was allegedly stolen
-
Cybersecurity experts face 20 years in prison following ransomware campaignTwo men used their tech expertise to carry out ALPHV BlackCat ransomware attacks
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
A notorious ransomware group is spreading fake Microsoft Teams ads to snare victimsNews The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
