In early July 2025, Ingram Micro, one of the largest technology distributors and service providers worldwide, suffered an outage caused by a cyberattack attributable to the SafePay ransomware group.

The incident led to the shutdown of internal systems, notably disrupting the company's website and online ordering services. Employees reportedly discovered ransom notes on their devices, associated with SafePay's operations, although it was unclear whether actual data encryption had occurred.

Initial reports suggested the attacker's gained entry through the company's GlobalProtect VPN using compromised credentials, though later statements clarified that the VPN gateway itself was not exploited. As a result of the breach, staff in some regions were instructed to work remotely, and certain systems - especially those supporting distribution and license provisioning - were taken offline as a precaution. Meanwhile, other services, such as Microsoft 365, Teams, and SharePoint, continued running.

Ingram Micro did not immediately disclose the full nature of the attack to employees or the public, only referring to ongoing IT issues. Eventually, the company confirmed in a statement that ransomware had been identified on certain systems and detailed their response, which included taking systems offline, launching an investigation with cybersecurity experts, notifying law enforcement, and working to restore operational capabilities.

Days later, the company began to restore some ordering activities, starting with subscription orders processed centrally and telephone or email orders in selected countries. However, hardware orders and other technology transactions remained limited and subject to further clarification upon placement.

SafePay, first observed in November 2024 and responsible for more than 220 attacks since, utilizes generic ransom notes claiming wide-ranging data theft, though in this instance it was not confirmed whether sensitive data was exfiltrated from Ingram Micro.

The company's recovery included a reset of passwords and multi-factor authentication measures, as well as the gradual return of VPN access in multiple countries.

Palo Alto Networks, the provider of the impacted VPN solution, clarified that none of its products were the cause of the breach, attributing the attackers' success to compromised user credentials rather than software vulnerabilities.

Source: https://www.bleepingcomputer.com/news/security/ingram-micro-outage-caused-by-safepay-ransomware-attack/

Commentary

Organizations can learn severable valuable lessons from the Ingram Micro SafePay ransomware attack and similar incidents.

First is the importance of enforcing strict access controls based on the principle of least privilege, ensuring that users only have access to the data and systems they genuinely need.

Another lesson is the value of a robust authentication process such as multi-factor authentication. Multi-factor authentication helps prevent attackers from moving freely across the internal network if credentials are compromised.

Another area of focus is a proactive patch and vulnerability management, which requires organizations to consistently update systems and applications to address security flaws before threat actors can exploit them.

Educating staff on the dangers of weak or reused passwords and providing ongoing training about phishing and social engineering is crucial for reducing the risks of credential-based attacks.

Regular monitoring for suspicious changes to security settings, especially those related to antivirus or endpoint protection tools, can detect attempts by ransomware groups to evade defenses.

Organizations should also emphasize the need for independent and regularly tested backups that are stored offline or on separate networks, enabling recovery without paying a ransom if primary systems are compromised.