It sounds like a banking app, but instead, it’s one of the latest ransomware groups: SafePay. Who are the perpetrators of the ransomware attack on Ingram Micro, which has left the latter offline for more than four days?
Even after what must have been a stressful weekend, IT distributor Ingram Micro is still unavailable. At the time of writing, the supplier’s website only displays a short message about a cyber incident, with an external link for more information. It is clear that the cyberattack has been successful. It has now been confirmed that this is a ransomware attack, claimed by SafePay. The group is relatively young, but has made a familiar cybercriminal demand: Ingram Micro has seven days to pay. According to the group, money is their only motivation.
Read also: Ingram Micro hit by outage, being unavailable for almost a day
SafePay does things differently
First of all, we need to disambiguate the name SafePay. It has no connection whatsoever with SafePay, a Dutch automatic payment system for municipalities, or a Pakistani fintech platform. Instead, it is a fairly innovative ransomware group. It sticks out from the crowd by not utilizing a Ransomware-as-a-Service (RaaS) model, in which an affiliate network independently distributes the malicious software and shares the ransom with the ransomware developer. SafePay, however, opts for a closed system, in which it controls the use of the ransomware.
In the rapidly changing cybercrime landscape, there is always a new frontrunner. Conti and LockBit were former market leaders, while Akira, Qilin, and Play have been building up notoriety for some time. However, in a report by NCC Group, SafePay emerged as the outright “winner” with 70 attacks in May 2025, accounting for 18 percent of the total number of compromises measured.
Elsewhere, it is suggested that the group consists of former members of LockBit, BlackCat, and INC, among others. This, unlike leaving RaaS, is extremely common. Like other ransomware variants, it also has an exception for unintended victims. Anyone who sets their computer to Russian, Ukrainian, Armenian, Azerbaijani, Belarusian, Georgian, or Kazakh is exempt. Speaking of language, SafePay does not appear to use authentic-sounding texts in phishing emails. Instead, it exploits stolen credentials, just like many other groups on the dark web. There is a large market for such login details, so SafePay may simply purchase this information.
Impact
For victims, the impact is potentially enormous. For Ingram Micro, this is already a grim reality. The damage to its reputation, it seems, has already been done. Poor communication led to widespread frustration among customers at the end of last week. “I can’t believe it’s been almost 24 hours and there’s no feedback on what’s going on,” one user wrote on Friday.
Because Ingram Micro is part of a larger digital supply chain, MSPs worldwide are also experiencing problems. They are unable to serve their customers because they do not have access to the necessary systems. This includes both software and hardware, including critical backup licenses.
Ingram Micro has since become slightly more communicative. On Saturday, it confirmed the ransomware attack. SafePay states that it took advantage of “a number of errors”; Ingram allegedly failed to fully secure its own IT network, which, according to SafePay, gave it plenty of time to look around. According to the group, exploiting this misconfiguration was “a paid training session for your system administrators.” A source told BleepingComputer that GlobalProtect, Ingram Micro’s VPN, was used as the attack route.
The question is whether Ingram will actually pay. Even then, there are no guarantees, although SafePay presumably does not want to be seen as a ransomware group that does not keep its promises in such a public attack. If the data is permanently deleted when the victim pays the ransom, no one will want to deal with SafePay after a compromise.
Read also: Even paying victims lose their data with Anubis ransomware
