IT provider Ingram Micro hit by SafePay ransomware

On July 6, 2025, global IT distribution giant Ingram Micro confirmed it had fallen victim to a ransomware attack by the SafePay threat group. The incident, which began on July 3, triggered a multi-day outage across its global supply chain, which largely includes managed service providers.

Ingram Micro’s internal systems were taken offline after ransomware was detected on its network. The attack reportedly began via the company’s GlobalProtect VPN gateway, a known target for credential-based intrusions. The affected systems included the company’s Xvantage AI-powered distribution platform and Impulse license provisioning system that are used for order fulfillment and partner services.

The ransomware attack caused significant downstream disruption for its customers, including delayed order processing, shipment backlogs, and licensing interruptions across platforms like Microsoft 365 and Dropbox. With Ingram’s core systems offline, vendors lost visibility into demand, resellers struggled to meet service-level agreements, and enterprise procurement teams faced cascading delays in hardware provisioning and capital planning. Given Ingram Micro’s $48 billion annual revenue and its role in global IT distribution, these short-term outages have had cascading effects across the tech ecosystem.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

The SafePay ransomware group claimed responsibility, stating they exploited “a number of mistakes” in Ingram’s network configuration. The attackers claim to have exfiltrated sensitive data, including financial records, customer files, and intellectual property, and encrypted critical systems to demand ransom.

SafePay has been active since late 2024, and has become one of the most prolific ransomware operations in 2025, with over 220 claimed victims. Known for targeting VPN gateways and exploiting weak credentials, SafePay typically uses ransom notes that threaten public data leaks unless payment is made.

Analyst notes:

Although there was no public evidence of ransomware spreading downstream to Ingram Micro’s customers at the time of reporting, the incident underscores the fragility of interdependent supply chains—where a single compromise can ripple across the broader IT ecosystem. If attackers accessed partner credentials or back-end systems, customers could potentially face exposure of sensitive data and elevated security risks.

Organizations that rely on Ingram’s cloud services or automated provisioning should review access logs, rotate credentials, and monitor for suspicious activity, particularly if their systems interface directly with Ingram’s platforms. In supply chain attacks, even indirect exposure can become a foothold for further attacks.

To reduce the risk of ransomware attacks like the one that affected Ingram Micro, organizations should harden their remote access infrastructure by securing VPN gateways, enforcing strong authentication, and actively monitoring unusual sign-ins. It’s also essential to maintain regular backups, preferably offline and immutable, and to test incident response plans to ensure rapid containment and recovery when needed.