Threat Intel Solutions

#### [Cyber-crime](/security/cyber_crime/)**7** Ingram Micro confirms ransomware behind multi-day outage========================================================**7** SafePay crew claims responsibility for intrusion at one of world’s largest tech distributors——————————————————————————————–[Paul Kunert](/Author/Paul-Kunert ‘Read more by this author’) Sun 6 Jul 2025 // 13:09 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/07/06/ingram_micro_confirms_ransomware_behind/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Ingram%20Micro%20confirms%20ransomware%20behind%20multi-day%20outage) [](https://twitter.com/intent/tweet?text=Ingram%20Micro%20confirms%20ransomware%20behind%20multi-day%20outage&url=https://www.theregister.com/2025/07/06/ingram_micro_confirms_ransomware_behind/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/07/06/ingram_micro_confirms_ransomware_behind/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/07/06/ingram_micro_confirms_ransomware_behind/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Ingram%20Micro%20confirms%20ransomware%20behind%20multi-day%20outage&summary=SafePay%20crew%20claims%20responsibility%20for%20intrusion%20at%20one%20of%20world%27s%20largest%20tech%20distributors) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/07/06/ingram_micro_confirms_ransomware_behind/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) Ingram Micro, one of the world’s largest distributors, has confirmed it is trying to restore systems following a ransomware attack.As [exclusively revealed](https://www.theregister.com/2025/07/04/ingram_micro_technical_difficulties/), troubles began on July 3 when trade customers – resellers and managed service providers – complained they were no longer able place orders after systems and phone lines went down.Messages dispatched by *The Register* to contact company execs and its press relations department went unanswered. Ingram Micro finally broke its silence yesterday at around 3pm UTC amid an ‘ongoing system outage.’ The distributor [said](https://www.businesswire.com/news/home/20250705035732/en/Ingram-Micro-Issues-Statement-Regarding-Cybersecurity-Incident):  ’Ingram Micro recently identified ransomware on certain of its internal systems. Promptly after learning of the issue, the company took steps to secure the relevant environment, including proactively taking certain systems offline and implementing other mitigation measures. The company also launched an investigation with the assistance of leading cybersecurity experts and notified law enforcement.’Ingram Micro is working diligently to restore the affected systems so that it can process and ship orders, and the company apologizes for any disruption this issue is causing its customers, vendor partners, and others.’ Orders for physical product could be placed and Ingram was also unable to manage Microsoft 365 and Dropbox licenses. A source told us staff at Ingram’s Bulgaria-based service center were sent home on July 4 and asked to keep their laptops disconnected as systems were turned off.Ingram turns over hundreds of millions of dollars a day in sales so disruption to service even for a day is a big deal. It generated revenues of $48 billion in its prior financial year ended December 28, 2024 and recorded a profit of $262.2 million, selling a range of hardware, software, cloud services, IT asset disposition, third party logistics, dropship and returns management and remarketing.The SafePay ransomware crew has taken responsibility for the attack, according to [Bleeping Computer](https://www.bleepingcomputer.com/news/security/ingram-micro-outage-caused-by-safepay-ransomware-attack/), which published a ransom note from the criminals. In it, SafePay claims it exploited ‘a number of mistakes’ Ingram made ‘in setting up the security of your corporate network, so we were able to spend quite a long time in it and compromise you.”It was the misconfiguration of your network that allowed our experts to attack you, so treat this situation as simply as a paid training session for your system administrators.’The note claims the intruders accessed ‘sensitive and confidential information’ including documents pertaining to financials statements, intellectual property, accounting records, lawsuits and complaints, personal and customer files, bank details, transactions and more.It adds that ‘all files of importance have been encrypted’ and vital data stored on a secure server for ‘further exploitation and publication on the web with an open access.’ It further claims SafePay blocked Ingram’s servers and will ‘unlock’ them when an agreement is reached.’WE ARE THE ONES WHO CAN CORRECTLY DECRYPT YOUR DATA AND RESTORE YOUR INFRASTRUCTURE IN A SHORT TIME,’ the ransom note claims in capped letters.This is not a politically motivated attack and the crew ‘want nothing more than money.’ Ingram has seven days to negotiate.As always, readers should treat the claims with some suspicion until independently verified.The SafePay crew may have entered Ingram’s systems via its GlobalProtect VPN platform, sources told Bleeping Computer. This remains unconfirmed.SafePlay was the most active ransomware crew in the world in May, according to threat intelligence service Fortra, with 70 attacks alone linked to the gang and its affiliates that month. [Microlise was a high profile victim](https://www.theregister.com/2024/11/22/safepay_microlise/) that was attacked in October last year.* [Glasgow City Council online services crippled following cyberattack](https://www.theregister.com/2025/06/26/glasgow_city_council_cyberattack/)* [Qilin ransomware attack on NHS supplier contributed to patient fatality](https://www.theregister.com/2025/06/26/qilin_ransomware_nhs_death/)* [Glazed and confused: Hole lotta highly sensitive data nicked from Krispy Kreme](https://www.theregister.com/2025/06/19/krispy_kreme_reveals_staggering_breadth/)* [Australian airline Qantas reveals data theft impacting six million customers](https://www.theregister.com/2025/07/02/qantas_data_theft/)* [Experts count staggering costs incurred by UK retail amid cyberattack hell](https://www.theregister.com/2025/06/23/experts_count_the_staggering_costs/)Graham Cluely, Fortra’s cybercrime researcher, [said last month](https://www.fortra.com/blog/safepay-ransomware-what-you-need-know):’SafePay is known for breaking into organisations by using stolen VPN or RDP credentials. It has not been reported to have used phishing techniques frequently seen in many other ransomware attacks. Therefore, organisations that worry they might be targeted would be wise to enforce multi-factor authentication on all remote access points, disable unused RDP or VPN access entirely, and use IP allowlists or geofencing where possible.’*The Register* has asked Ingram Micro to comment. ® [Sponsored: How multi-agent systems revolutionize data work flows](https://go.theregister.com/tl/3207/shttps://www.theregister.com/2025/07/03/multi_agent_systems_google/) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/07/06/ingram_micro_confirms_ransomware_behind/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Ingram%20Micro%20confirms%20ransomware%20behind%20multi-day%20outage) [](https://twitter.com/intent/tweet?text=Ingram%20Micro%20confirms%20ransomware%20behind%20multi-day%20outage&url=https://www.theregister.com/2025/07/06/ingram_micro_confirms_ransomware_behind/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/07/06/ingram_micro_confirms_ransomware_behind/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/07/06/ingram_micro_confirms_ransomware_behind/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Ingram%20Micro%20confirms%20ransomware%20behind%20multi-day%20outage&summary=SafePay%20crew%20claims%20responsibility%20for%20intrusion%20at%20one%20of%20world%27s%20largest%20tech%20distributors) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/07/06/ingram_micro_confirms_ransomware_behind/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/07/06/ingram_micro_confirms_ransomware_behind/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Ingram%20Micro%20confirms%20ransomware%20behind%20multi-day%20outage) [](https://twitter.com/intent/tweet?text=Ingram%20Micro%20confirms%20ransomware%20behind%20multi-day%20outage&url=https://www.theregister.com/2025/07/06/ingram_micro_confirms_ransomware_behind/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/07/06/ingram_micro_confirms_ransomware_behind/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/07/06/ingram_micro_confirms_ransomware_behind/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Ingram%20Micro%20confirms%20ransomware%20behind%20multi-day%20outage&summary=SafePay%20crew%20claims%20responsibility%20for%20intrusion%20at%20one%20of%20world%27s%20largest%20tech%20distributors) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/07/06/ingram_micro_confirms_ransomware_behind/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) **7** COMMENTS #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### UK puts out tender for space robot to de-orbit satellitesGot to be a ‘clean space superpower’ — right, Brits?Science11 hrs -| 23](/2025/07/06/uk_puts_out_tender_for_deorbit_mission/?td=keepreading) [#### Massive spike in use of .es domains for phishing abuse¡Cuidado! Time to double-check before entering your Microsoft credsSecurity1 day -| 5](/2025/07/05/spain_domains_phishing/?td=keepreading) [#### iFixit gives new Fairphone 6 top marks for repairability: 10/10It’s not cheap or high end, but it should last you for years to comePersonal Tech1 day -| 21](/2025/07/05/ifixit_gives_fairphone_10/?td=keepreading) [#### Why rapid proliferation of cloud native apps requires faster, more efficient toolsetsKubernetes enables easy, rapid AI app development, making it the industry standard for AI workloadsSponsored feature](/2025/05/13/nutanix_cloud_native_ai_apps/?td=keepreading) [#### Financial ‘stretch’ for UK to join Europe’s Starlink rival, says ministerPossibility of joining IRIS² remote as Britain grapples with fiscal squeezeNetworks1 day -| 54](/2025/07/05/uk_budget_to_join_iris_not_there/?td=keepreading) [#### Ousted US copyright chief argues Trump did not have power to remove herShira Perlmutter lost her job after her office published report on generative AI and fair use limitsAI + ML2 days -| 45](/2025/07/04/copyright_office_trump_filing/?td=keepreading) [#### Microsoft finally bids farewell to PowerShell 2.0Venerable command line tool to depart WindowsSoftware2 days -| 22](/2025/07/04/microsoft_finally_bids_farewell_to/?td=keepreading) [#### Amazon built a massive AI supercluster for Anthropic called Project Rainier — here’s what we know so fardeep dive It’s almost like AWS is building its own StargateOn-Prem2 days -| 12](/2025/07/04/project_rainier_deep_dive/?td=keepreading) [#### Mars was once a desert with intermittent oases, Curiosity data suggestsNew modeling of carbon cycle shows unsteady but habitable history before liquid water disappearedScience2 days -| 22](/2025/07/04/mars_was_once_a_desert/?td=keepreading) [#### We’re number 1! Windows 11 finally overtakes Windows 10Three months to go until support ends, and Microsoft’s flagship operating system squeaks past its predecessorOSes2 days -| 42](/2025/07/04/windows_11_market_share/?td=keepreading) [#### 14-hour+ global blackout at Ingram Micro halts customer ordersExclusive Fears mount while distie remains silent and phone lines downChannel2 days -| 32](/2025/07/04/ingram_micro_technical_difficulties/?td=keepreading) [#### Former and current Microsofties react to the latest round of layoffs’JFC, again?’Software2 days -| 52](/2025/07/04/former_and_current_microsofties_react_layoffs/?td=keepreading)

Related Tags:
NAICS: 42 – Wholesale Trade

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 51 – Information

Financial Theft

Blog: The Register Security

Phishing

Data Encrypted for Impact

Associated Indicators: