Ingram Micro confirms ransomware behind multi-day outage

Ingram Micro, one of the world’s largest distributors, has confirmed it is trying to restore systems following a ransomware attack.

As exclusively revealed, troubles began on July 3 when trade customers – resellers and managed service providers – complained they were no longer able place orders after systems and phone lines went down.

Messages dispatched by The Register to contact company execs and its press relations department went unanswered. Ingram Micro finally broke its silence yesterday at around 3pm UTC amid an “ongoing system outage.”

The distributor said:

“Ingram Micro recently identified ransomware on certain of its internal systems. Promptly after learning of the issue, the company took steps to secure the relevant environment, including proactively taking certain systems offline and implementing other mitigation measures. The company also launched an investigation with the assistance of leading cybersecurity experts and notified law enforcement.

“Ingram Micro is working diligently to restore the affected systems so that it can process and ship orders, and the company apologizes for any disruption this issue is causing its customers, vendor partners, and others.”

Orders for physical product could be placed and Ingram was also unable to manage Microsoft 365 and Dropbox licenses. A source told us staff at Ingram’s Bulgaria-based service center were sent home on July 4 and asked to keep their laptops disconnected as systems were turned off.

Ingram turns over hundreds of millions of dollars a day in sales so disruption to service even for a day is a big deal. It generated revenues of $48 billion in its prior financial year ended December 28, 2024 and recorded a profit of $262.2 million, selling a range of hardware, software, cloud services, IT asset disposition, third party logistics, dropship and returns management and remarketing.

The SafePay ransomware crew has taken responsibility for the attack, according to Bleeping Computer, which published a ransom note from the criminals. In it, SafePay claims it exploited “a number of mistakes” Ingram made “in setting up the security of your corporate network, so we were able to spend quite a long time in it and compromise you.”

“It was the misconfiguration of your network that allowed our experts to attack you, so treat this situation as simply as a paid training session for your system administrators.”

The note claims the intruders accessed “sensitive and confidential information” including documents pertaining to financials statements, intellectual property, accounting records, lawsuits and complaints, personal and customer files, bank details, transactions and more.

It adds that “all files of importance have been encrypted” and vital data stored on a secure server for “further exploitation and publication on the web with an open access.” It further claims SafePay blocked Ingram’s servers and will “unlock” them when an agreement is reached.

“WE ARE THE ONES WHO CAN CORRECTLY DECRYPT YOUR DATA AND RESTORE YOUR INFRASTRUCTURE IN A SHORT TIME,” the ransom note claims in capped letters.

This is not a politically motivated attack and the crew “want nothing more than money.” Ingram has seven days to negotiate.

As always, readers should treat the claims with some suspicion until independently verified.

The SafePay crew may have entered Ingram’s systems via its GlobalProtect VPN platform, sources told Bleeping Computer. This remains unconfirmed.

SafePlay was the most active ransomware crew in the world in May, according to threat intelligence service Fortra, with 70 attacks alone linked to the gang and its affiliates that month. Microlise was a high profile victim that was attacked in October last year.

Graham Cluely, Fortra’s cybercrime researcher, said last month:

“SafePay is known for breaking into organisations by using stolen VPN or RDP credentials. It has not been reported to have used phishing techniques frequently seen in many other ransomware attacks. Therefore, organisations that worry they might be targeted would be wise to enforce multi-factor authentication on all remote access points, disable unused RDP or VPN access entirely, and use IP allowlists or geofencing where possible.”

The Register has asked Ingram Micro to comment. ®

READ MORE HERE