Fraud Management & Cybercrime,
Incident & Breach Response,
Ransomware
SafePay Ransomware Responsible for Extended System Outage
Ingram Micro, a leading global technology distributor, has confirmed that its internal systems were disrupted due to a ransomware attack, which has resulted in a significant IT outage. The company disclosed this incident shortly after the attack was detected, raising concerns about operational integrity.
Headquartered in California, Ingram Micro is one of the largest technology distributors worldwide, reporting nearly $48 billion in sales in 2024. The current incident is causing service interruptions, particularly affecting software licensing and restricting customer access to essential products reliant on the company’s backend systems.
A recent filing with U.S. federal regulators has advised stakeholders to refer to a previously issued press release for details regarding the situation. This statement follows reports of extortion attempts linked to the SafePay ransomware group appearing on employee devices. While Ingram Micro has not officially confirmed the group responsible, the characteristics of the ransom note align with those previously identified with SafePay, a group known for targeting over 220 victims since its emergence in late 2024.
On social media platforms like Reddit, users have voiced frustrations regarding the unresolved outages, indicating that the company’s website has been down for an extended period and departmental communications are lacking. Comments from users highlight issues with logging into online portals, exacerbating concerns over access to critical services.
The extent of the breach remains unclear, specifically whether any data was exfiltrated or if systems were encrypted during the attack. Sources have disclosed that the perpetrators may have gained access via the Palo Alto GlobalProtect VPN, underscoring the vulnerabilities associated with remote access technology. Cybersecurity experts point to the tactic of exploiting stolen credentials and misconfigurations in VPN setups as a common method for intrusion.
Should SafePay be responsible for this attack, it would not be the group’s first time employing stolen VPN credentials. Significant incidents have previously been documented where this method was used. Moreover, SafePay has garnered attention for its advanced attack techniques, which include exploiting exposed endpoints and disabling security mechanisms to escalate privileges and obstruct recovery efforts.
Following the attack, SafePay’s activities have involved encryption of files with a .safepay extension and delivery of ransom notes via the notably titled readme_safepay.txt. The group also engages in data exfiltration prior to encrypting files, maximizing disruption and enhancing leverage for extortion.
This incident emphasizes the need for organizations to fortify their cybersecurity strategies, particularly with regard to VPN configurations and remote access protocols. As cyber threats evolve, the potential for similar breaches underscores an imperative for vigilance and robust protective measures.
