- Ingram Micro is recovering from a ransomware attack that disrupted services.
- Service restoration is ongoing.
Ingram Micro is working to bring systems back online after a ransomware attack took down parts of its network, disrupting ordering systems and customer service channels across multiple regions.
The incident started on July 3. Customers first noticed problems when they could no longer place orders or reach the company through regular phone lines. Resellers and managed service providers — a major part of Ingram Micro’s client base — were among the first to report issues. Local websites began displaying maintenance pages with basic contact details for sales and support teams.
At first, the cause was unclear. The company described the issue as “technical difficulties.” Attempts to reach executives or press representatives went unanswered. It wasn’t until July 6 that Ingram Micro confirmed it had been hit by ransomware.
“Ingram Micro recently identified ransomware on certain of its internal systems,” the company said in a statement. It explained that after discovering the issue, systems were shut down as a precaution while cybersecurity specialists were brought in. Law enforcement was also notified.
The company added that it’s working to restore affected systems so it can resume processing and shipping orders. It apologised for the disruption caused to customers, vendors, and other business partners.
As of now, the outage continues to affect both physical product orders and license management systems, including Microsoft 365 and Dropbox. A source familiar with the situation said staff at Ingram Micro’s Bulgaria-based service centre were told to stay home on July 4 and avoid connecting their work laptops to the company network. Internal systems were still down at the time.
The disruption is significant given the scale of Ingram Micro’s operations. The company brought in $48 billion in revenue last year and posted $262.2 million in profit. It sells a wide range of products and services, from hardware and software to cloud licenses, IT asset disposal, returns management, logistics, and product remarketing. In Q1 this year, which ended on March 29, the company recorded $12.28 billion in revenue and $69.2 million in net income.
A group calling itself SafePay has claimed responsibility. Cybersecurity site Bleeping Computer obtained a copy of the ransom note, which accuses Ingram Micro of poor network security. The group claims it was able to access the company’s systems and stay inside undetected for some time.
“It was the misconfiguration of your network that allowed our experts to attack you,” the note says. “Treat this situation as simply as a paid training session for your system administrators.”
SafePay says it gained access to sensitive documents, including financial records, intellectual property, customer and employee data, bank account details, transaction history, and legal complaints. The group claims it encrypted all critical files and moved copies to a remote server. It says those files could be published online if no deal is reached.
“WE ARE THE ONES WHO CAN CORRECTLY DECRYPT YOUR DATA AND RESTORE YOUR INFRASTRUCTURE IN A SHORT TIME,” the note reads in all caps.
The attackers said the motive is purely financial. Ingram Micro has been given seven days to start negotiations.
At this point, the full extent of the breach remains unclear. Claims made by ransomware gangs often include exaggerations and should be verified independently. It’s also not confirmed how the attackers got in. One possible entry point, according to sources speaking to Bleeping Computer, is Ingram’s GlobalProtect VPN platform. That theory has not been confirmed.
SafePay was the most active ransomware group in May, according to threat intelligence company Fortra. The firm linked 70 separate incidents to the gang or its affiliates during that month alone. One of the group’s more prominent victims was fleet management software firm Microlise, which was attacked in October last year.
For now, Ingram Micro continues to operate with limited system access while recovery efforts are underway.
