Alert on screen showing ransomware attack on tech distributor

Tech Distributor Ingram Micro Experiences System Outage Due to a Ransomware Attack

One of the United States’ largest technology providers, Ingram Micro, has suffered a system outage that began on July 3, 2025, as a result of a ransomware attack.

“Ingram Micro recently identified ransomware on certain of its internal systems,” the company stated.

Ingram Micro Holdings Corporation is a business-to-business (B2B) distributor of technology products, including hardware and software solutions and IT services.

With over 50 offices across the Americas, Europe, and Asia, the Irvine, California-based tech colossus employs over 20,000 people and reported annual sales of over $48 billion in 2024.

According to its cyber incident alert, the company immediately responded by proactively taking certain systems offline to contain the intrusion and applying other mitigations.

The shutdown disrupted online ordering systems and rendered the company’s websites unresponsive, resulting in a flurry of social media complaints. On July 4th, Ingram Micro directed its employees to work from home to minimize disruptions occasioned by the cyberattack.

The company also launched an investigation with third-party cyber forensics to determine the nature and scope of the cyber incident and notified law enforcement agencies, which are also currently assisting with the probe.

Ingram Micro grapples with system outage from SafePay ransomware attack

Apologizing to its customers and business partners for the system outage, Ingram Micro stated that its recovery team was working tirelessly to resolve the ransomware attack.

“Ingram Micro is working diligently to restore the affected systems so that it can process and ship orders, and the company apologizes for any disruption this issue is causing its customers, vendor partners, and others,” the company promised.

However, Ingram Micro provided no expected timeline for resolving the system outage and has yet to confirm whether the ransomware attack resulted in the encryption of devices.

Similarly, there is no word on whether data exfiltration occurred during the system outage or on the nature of the potentially stolen information. Ingram Micro has also not disclosed the identity of the threat actor and whether any ransom demands have been made.

The attack vector that the threat actor exploited during the ransomware attack also remains undisclosed, and the tech distributor has yet to assess the material impact of the system outage.

SafePay Ransomware gang attributed to the Ingram Micro cyber attack

The SafePay cyber gang has taken credit for the Ingram Micro system outage. First detected in November 2024, SafePay ransomware has victimized over 200 organizations worldwide by the end of the first quarter of 2025, including managed service providers (MSPs) and small and mid-sized businesses (SMEs), according to threat intelligence firm Acronis.

In May 2025 alone, the cyber gang carried out approximately 70 attacks, accounting for nearly a fifth (18%) of all recorded ransomware incidents.

The double extortion cyber gang ransomware deletes shadow copies and clears logs to prevent victim organizations from restoring the impacted systems, forcing them to either pay a ransom or rebuild their networks from scratch.

“SafePay is renowned for both encrypting systems and stealing data, so if ransom demands aren’t met, it’s likely we’ll see Ingram Micro popping up on SafePay’s data leak site in the coming days/weeks,” warned Rebecca Moody, Head of Data Research at Comparitech. “Over the last couple of months, SafePay has stolen an average of 111 GB of data from each victim, which can lead to significant breaches.”

In January 2025, the gang claimed responsibility for the Chesterfield Pathology, P.C. ransomware attack, in which it stole approximately 30 GB of data, affecting over 236,000 individuals, Moody added.

“With the toppling of LockBit and ALPHV, this has opened up ‘opportunities’ for upstart ransomware groups like SafePay,” explained Chris Hauk, Consumer Privacy Champion at Pixel Privacy. “The group first gained fame with an early high-profile SafePay ransomware attack on UK telematics business Microlise, with SafePay claiming to have stolen 1.2 terabytes of data and demanding payment in less than 24 hours. However, little remains known about the group.”

SafePay targets vulnerable virtual private networks (VPNs) and exposed remote desktop protocols (RDPs), and also leverages weak or stolen credentials.

Unlike most ransomware gangs that rely on a ransomware-as-a-service (RaaS) model, SafePay operates its own centralized cyber extortion operation, thereby minimizing or eliminating payments to gang affiliates altogether.