Ingram Micro has confirmed a ransomware attack that has forced systems offline and disrupted core services across its global operations. The breach, first reported as an unexplained outage on 3 July has now been linked to the SafePay ransomware group, one of the more active players in the 2025 threat landscape.
By 6 July, the IT distribution giant broke its silence: “Ingram Micro recently identified ransomware on certain of its internal systems,” the company said in a statement. “Promptly after learning of the issue, the Company took steps to secure the relevant environment, including proactively taking certain systems offline and implementing other mitigation measures. The Company also launched an investigation with the assistance of leading cybersecurity experts and notified law enforcement.”
The company acknowledged the impact on customer operations and emphasized recovery efforts: “Ingram Micro is working diligently to restore the affected systems so that it can process and ship orders, and the Company apologizes for any disruption this issue is causing its customers, vendor partners, and others.”
Silent Systems, Sudden Shutdowns
The attack reportedly began in the early hours of 3 July. Employees arriving at work found ransom notes left on their machines. According to BleepingComputer, the notes matched those used by SafePay, though it remains unclear whether systems were encrypted or if any data was exfiltrated.
The incident took down several of Ingram Micro’s core platforms, including its Xvantage AI-powered distribution system and the Impulse license provisioning tool. The company’s website and ordering systems remain offline. Customers and partners around the world have been affected.
Internal sources told BleepingComputer that employees in certain locations were told to work remotely, and the use of the company’s GlobalProtect VPN was suspended. Microsoft 365, Teams, and SharePoint reportedly continue to operate.
SafePay’s Growing Footprint
SafePay emerged in late 2024 and has already claimed over 220 victims. The group often targets corporate networks through VPN gateways, exploiting compromised credentials and weak authentication controls. In Ingram Micro’s case, early indicators suggest the attackers may have accessed the network via its GlobalProtect VPN, though that link is still under investigation.
Palo Alto Networks, the developer of GlobalProtect, responded to the reports:
“At Palo Alto Networks, the security of our customers is our top priority. We are aware of a cybersecurity incident impacting Ingram Micro and reports that mention Palo Alto Networks’ GlobalProtect VPN,” the company told BleepingComputer. “We are currently investigating these claims. Threat actors routinely attempt to exploit stolen credentials or network misconfigurations to gain access through VPN gateways.”
A Global Tech Backbone Disrupted
Ingram Micro is one of the largest technology distributors in the world, connecting hardware, software, cloud services, and supply chain solutions with resellers, systems integrators, and managed service providers. Disruption at this scale sends ripples across entire ecosystems, particularly in a channel-driven industry.
For days, the company offered no details to employees or customers, only acknowledging “ongoing IT issues.” That silence is now explained by the forensic work underway behind the scenes. An advisory remains pinned to the homepage.
The broader implications are still unfolding. SafePay’s tactics, including generic data theft claims in its ransom notes, leave many unanswered questions about the extent of the compromise.
What’s clear is that one of the tech world’s largest intermediaries has been hit hard. Ingram Micro, for now, is in recovery mode. And so are its customers.
A Well-timed Attack
“Organisations such as Ingram Micro work on a very tight schedule, moving inventory quickly in and out of its warehouses, and coordinating its operations really closely across warehouses and corporate headquarters,” comments Erich Kron, Security Awareness Advocate at KnowBe4.
“Ransomware attacks such as this that involve encryption can devastate an organisation with such well-coordinated operations. The fact that this was launched on July 3rd, at the start of the U.S. Independence Day holiday is probably no coincidence. Many times, attackers will delay the attack until a holiday, because they know that response times are going to be slower as employees are away celebrating or traveling.”
This is a popular tactic and should be considered, along with recall and contact procedures, around any holidays. “There is a good chance the attackers have been in the network and laying low for days or weeks already.”
Typically, Kron says attackers also steal a copy of as much data as they can to use as leverage in the ransom negotiation phase. “This means employees or customers may have personal information at risk of being dumped on the dark web.”
He says because ransomware is so effective in highly coordinated and regulated industries, such as manufacturing, medical, or government entities, these sorts of attacks can demand a significant ransom from the victims.
“Organizations in these industries should be very conscious of the ransomware threat, and should employ a comprehensive human risk management plan, as a majority of ransomware is spread through social engineering attacks, or human error such as using poor passwords. In addition, organisations should have regularly tested incident response and continuity of operations plans in place, and should employ data leakage prevention controls.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.