Some of my colleagues who sell products and other items beyond their knowledge have been struggling with ordering products from Ingram Micro who is the one of the biggest if not the biggest computer distributor around. They have had an outage for a few days now which has led to rumours of them being pwned by hackers.
I guess that we can confirm that Ingram Micro has been pwned:
In a brief Sunday morning announcement, Ingram Micro has confirmed that they suffered a ransomware attack.
“Ingram Micro recently identified ransomware on certain of its internal systems,” reads Ingram Micro’s statement.
“Promptly after learning of the issue, the Company took steps to secure the relevant environment, including proactively taking certain systems offline and implementing other mitigation measures. The Company also launched an investigation with the assistance of leading cybersecurity experts and notified law enforcement.”
“Ingram Micro is working diligently to restore the affected systems so that it can process and ship orders, and the Company apologizes for any disruption this issue is causing its customers, vendor partners, and others.”
Bleeping Computer has seen the ransom note and it appears that Ingram Micro has been pwned by SafePay ransomware. That’s not good as Ingram Micro is faced with a very stark choice of paying up to maybe get its systems back online quickly. I say that because there’s no guarantee that a threat actor will keep their word. Or somehow fighting through this to get their systems back online. However long that takes. In either case, computer resellers, MSP’s, consultants and others are likely going to go to Ingram Micro’s number one competitor TD Synnex instead. And some of them may never come back.
Sucks to be Ingram Micro right now. I guess they should have tried harder to keep the bad guys out.
UPDATE: I have several comments related to this.
Rebecca Moody, Head of Data Research at Comparitech:
“SafePay is renowned for both encrypting systems and stealing data, so if ransom demands aren’t met, it’s likely we’ll see Ingram Micro popping up on SafePay’s data leak site in the coming days/weeks. Over the last couple of months, SafePay has stolen an average of 111 GB of data from each victim, which can lead to significant breaches. A prime example is Marlboro-Chesterfield Pathology, P.C., which was targeted by SafePay in January 2025 with the group allegedly stealing 30 GB of data. The healthcare company subsequently issued data breach notifications to nearly 236,000 people.”
“To date, we’ve tracked 238 attacks via SafePay with 32 of these being confirmed by the entity involved. Other tech companies targeted by the group include Microlise (UK) and Conduent (US). Both of these attacks also caused widespread disruption to services.”
Erich Kron, Security Awareness Advocate at KnowBe4:
“Organizations such as Ingram Micro work on a very tight schedule, moving inventory quickly in and out of its warehouses, and coordinating its operations really closely across warehouses and corporate headquarters. Ransomware attacks such as this that involve encryption can devastate an organization with such well-coordinated operations. The fact that this was launched on July 3rd, at the start of the U.S. Independence Day holiday is probably no coincidence. Many times, attackers will delay the attack until a holiday, because they know that response times are going to be slower as employees are away celebrating or traveling. This is a common tactic and should be considered, along with recall and contact procedures, around any holidays. There is a good chance the attackers have been in the network and laying low for days or weeks already.”
“Typically, attackers also steal a copy of as much data as they can to use as leverage in the ransom negotiation phase. This means employees or customers may have personal information at risk of being dumped on the dark web.”
“Because ransomware is so effective in highly coordinated and regulated industries, such as manufacturing, medical, or government entities, these sorts of attacks can demand a significant ransom from the victims. Organizations in these industries should be very conscious of the ransomware threat, and should employ a comprehensive human risk management plan, as a majority of ransomware is spread through social engineering attacks, or human error such as using poor passwords. In addition, organizations should have regularly tested incident response and continuity of operations plans in place, and should employ data leakage prevention controls.”
UPDATE #2: Here’s a comment from Chris Hauk, Consumer Privacy Champion at Pixel Privacy:
“With the toppling of LockBit and ALPHV, this has opened up “opportunities” for upstart ransomware groups like SafePay. The group first gained fame with an early high-profile SafePay ransomware attack on UK telematics business Microlise, with SafePay claiming to have stolen 1.2 terabytes of data and demanding payment in less than 24 hours. However, little remains known about the group.”
“The reports I’ve seen indicate the group moves quickly, with fast encryption times, seeing attacks typically move from system breach to deployment in less than 24 hours.”
“Organizations can protect against SafePay and similar types of ransomware attacks by placing strict access controls on their systems, strong authentication like multi-factor authentication, monitoring for newly discovered vulnerabilities, and implementing secure VPN connections to provide remote access.”
Related
This entry was posted on July 7, 2025 at 8:37 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Computer Distributor Ingram Micro Gets Pwned
Some of my colleagues who sell products and other items beyond their knowledge have been struggling with ordering products from Ingram Micro who is the one of the biggest if not the biggest computer distributor around. They have had an outage for a few days now which has led to rumours of them being pwned by hackers.
I guess that we can confirm that Ingram Micro has been pwned:
In a brief Sunday morning announcement, Ingram Micro has confirmed that they suffered a ransomware attack.
“Ingram Micro recently identified ransomware on certain of its internal systems,” reads Ingram Micro’s statement.
“Promptly after learning of the issue, the Company took steps to secure the relevant environment, including proactively taking certain systems offline and implementing other mitigation measures. The Company also launched an investigation with the assistance of leading cybersecurity experts and notified law enforcement.”
“Ingram Micro is working diligently to restore the affected systems so that it can process and ship orders, and the Company apologizes for any disruption this issue is causing its customers, vendor partners, and others.”
Bleeping Computer has seen the ransom note and it appears that Ingram Micro has been pwned by SafePay ransomware. That’s not good as Ingram Micro is faced with a very stark choice of paying up to maybe get its systems back online quickly. I say that because there’s no guarantee that a threat actor will keep their word. Or somehow fighting through this to get their systems back online. However long that takes. In either case, computer resellers, MSP’s, consultants and others are likely going to go to Ingram Micro’s number one competitor TD Synnex instead. And some of them may never come back.
Sucks to be Ingram Micro right now. I guess they should have tried harder to keep the bad guys out.
UPDATE: I have several comments related to this.
Rebecca Moody, Head of Data Research at Comparitech:
“SafePay is renowned for both encrypting systems and stealing data, so if ransom demands aren’t met, it’s likely we’ll see Ingram Micro popping up on SafePay’s data leak site in the coming days/weeks. Over the last couple of months, SafePay has stolen an average of 111 GB of data from each victim, which can lead to significant breaches. A prime example is Marlboro-Chesterfield Pathology, P.C., which was targeted by SafePay in January 2025 with the group allegedly stealing 30 GB of data. The healthcare company subsequently issued data breach notifications to nearly 236,000 people.”
“To date, we’ve tracked 238 attacks via SafePay with 32 of these being confirmed by the entity involved. Other tech companies targeted by the group include Microlise (UK) and Conduent (US). Both of these attacks also caused widespread disruption to services.”
Erich Kron, Security Awareness Advocate at KnowBe4:
“Organizations such as Ingram Micro work on a very tight schedule, moving inventory quickly in and out of its warehouses, and coordinating its operations really closely across warehouses and corporate headquarters. Ransomware attacks such as this that involve encryption can devastate an organization with such well-coordinated operations. The fact that this was launched on July 3rd, at the start of the U.S. Independence Day holiday is probably no coincidence. Many times, attackers will delay the attack until a holiday, because they know that response times are going to be slower as employees are away celebrating or traveling. This is a common tactic and should be considered, along with recall and contact procedures, around any holidays. There is a good chance the attackers have been in the network and laying low for days or weeks already.”
“Typically, attackers also steal a copy of as much data as they can to use as leverage in the ransom negotiation phase. This means employees or customers may have personal information at risk of being dumped on the dark web.”
“Because ransomware is so effective in highly coordinated and regulated industries, such as manufacturing, medical, or government entities, these sorts of attacks can demand a significant ransom from the victims. Organizations in these industries should be very conscious of the ransomware threat, and should employ a comprehensive human risk management plan, as a majority of ransomware is spread through social engineering attacks, or human error such as using poor passwords. In addition, organizations should have regularly tested incident response and continuity of operations plans in place, and should employ data leakage prevention controls.”
UPDATE #2: Here’s a comment from Chris Hauk, Consumer Privacy Champion at Pixel Privacy:
“With the toppling of LockBit and ALPHV, this has opened up “opportunities” for upstart ransomware groups like SafePay. The group first gained fame with an early high-profile SafePay ransomware attack on UK telematics business Microlise, with SafePay claiming to have stolen 1.2 terabytes of data and demanding payment in less than 24 hours. However, little remains known about the group.”
“The reports I’ve seen indicate the group moves quickly, with fast encryption times, seeing attacks typically move from system breach to deployment in less than 24 hours.”
“Organizations can protect against SafePay and similar types of ransomware attacks by placing strict access controls on their systems, strong authentication like multi-factor authentication, monitoring for newly discovered vulnerabilities, and implementing secure VPN connections to provide remote access.”
Share this:
Like this:
Related
This entry was posted on July 7, 2025 at 8:37 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.