IT distribution giant Ingram Micro has confirmed that the widespread outage affecting its internal platforms and services was the result of a ransomware attack attributed to the SafePay group.
Attack Discovered After Ransom Notes Appear on Employee Devices
The incident began early on Thursday, July 4, 2025, when Ingram Micro employees reportedly found ransom notes on their devices, pointing to the SafePay ransomware group—a threat actor active since late 2024 and known for compromising enterprise networks via VPN access.
While it remains unclear whether data was encrypted in this instance, sources suggest the attack likely exploited Ingram Micro’s GlobalProtect VPN, a known target in past SafePay operations. Shortly after detection, employees were instructed to work remotely, and VPN usage was suspended.
Internal systems were proactively shut down as a precaution. This included Ingram Micro’s flagship Xvantage AI-powered distribution platform and the Impulse license provisioning system. However, some tools like Microsoft 365, Teams, and SharePoint remained unaffected and operational.
Company Statement Confirms Ransomware Incident
On Sunday, July 6, Ingram Micro publicly acknowledged the ransomware attack for the first time:
“Ingram Micro recently identified ransomware on certain of its internal systems,” the company said in a statement.
“Promptly after learning of the issue, the Company took steps to secure the relevant environment, including proactively taking certain systems offline and implementing other mitigation measures. The Company also launched an investigation with the assistance of leading cybersecurity experts and notified law enforcement.”
The company added that recovery efforts are ongoing and apologized for the disruption caused to customers, vendor partners, and stakeholders.
SafePay’s Attack Pattern and Rapid Rise
SafePay first emerged in November 2024 and has been linked to over 220 attacks globally within just a few months. The group’s primary tactics involve:
- Gaining access via compromised VPN credentials
- Using password spraying attacks to bypass authentication
- Dropping ransom notes with boilerplate data theft claims—language that may not always reflect actual data exfiltration
Although SafePay’s ransom notes typically claim data theft, those claims have not been independently confirmed in the Ingram Micro case. The reused language raises the possibility that this attack may have been more disruptive than extortive.
Services Affected, But Core Communication Tools Remain Online
Key ordering and distribution platforms experienced disruptions, but Ingram Micro’s core communication channels remained stable:
- Operational: Microsoft 365, Teams, SharePoint
- Disrupted: Xvantage distribution platform, Impulse license provisioning, GlobalProtect VPN
The company has not yet disclosed a recovery timeline or whether any sensitive data was compromised. No ransomware demand amount has been revealed either.
Ingram Micro plays a central role in global tech logistics, serving resellers and managed service providers (MSPs) across hardware, cloud, software, and training verticals. The company’s exposure to threat actors highlights the growing risk ransomware poses to supply chain infrastructure.
