IPS (Ingram Micro) is exploring a potential ransomware assault on their systems.

IPS (Ingram Micro) is exploring a potential ransomware assault on their systems.

In a significant cybersecurity incident, global technology distributor Ingram Micro has been targeted by the SafePay ransomware group. The attack, which occurred over July 3-4, 2025, has disrupted operations worldwide, affecting critical systems such as the Xvantage distribution platform and Impulse license provisioning system.

**The Emergence of SafePay**

The SafePay ransomware group first emerged in November 2024, quickly gaining notoriety as a significant threat. In the first quarter of 2025, SafePay aggressively expanded, striking over 200 victims worldwide, including Managed Service Providers (MSPs) and Small and Medium-sized Businesses (SMBs). By May 2025, SafePay reached a peak of 70 attacks in a single month, becoming one of the most active ransomware operations globally.

**Notable Attacks**

Apart from Ingram Micro, SafePay has targeted other notable entities, such as Conduent (a government contractor), Microlise (a British tech company), and Marlboro-Chesterfield Pathology (resulting in the exposure of 236,000 patient records).

**SafePay's Tactics and Connections**

While SafePay does not have a directly stated connection to other top ransomware gangs, its tactics share similarities with other groups. SafePay uses stolen VPN credentials and exploits misconfigured remote access systems, but unlike some advanced groups, it does not typically employ phishing campaigns or zero-day exploits. SafePay has also been known to use tools like ‘ShareFinder.ps1’, a script previously used in Emotet attacks and the Conti ransomware campaign, indicating a potential overlap in tactics or resources with other groups.

**SafePay's Distinct Approach**

SafePay's focus on supply chain targets, particularly major distributors like Ingram Micro, allows them to create widespread disruption beyond their primary targets. This strategic approach is distinct from some other ransomware groups but aligns with the criminal business model of maximizing damage per attack.

**Investigation and Response**

Outside forensic experts have been retained to help with the investigation, and law enforcement has been notified about the ransomware attack on Ingram Micro. In response to the attack, Ingram Micro proactively took certain systems offline. The company has not disclosed details about how the attackers gained access to its systems.

**Impact and Future Outlook**

The financial impact of the ransomware attack on Ingram Micro has not been disclosed. The company's earnings are expected to be between 53 cents to 63 cents a share in the fiscal second quarter. Ingram Micro's latest forecast calls for net sales of $11.7 billion to $12.2 billion in the fiscal second quarter. However, the ability of Ingram Micro to process and ship orders has been affected by the attack.

The SafePay ransomware group, first discovered in October 2024, has breached targeted companies using internet-exposed Remote Desktop Protocol and targeted virtual private networks. Researchers have seen an uptick in activity from SafePay since May. Despite these challenges, Ingram Micro, a technology firm based in Irvine, California, is currently investigating the incident and working to restore its systems.

1. In an effort to bolster its cybersecurity and protect against threats like SafePay, Ingram Micro may consider implementing threat intelligence systems and firewalls to monitor network traffic and block unauthorized access.
2. As the SafePay ransomware group continues to evolve, cybersecurity teams must remain vigilant and stay updated on the latest general-news and crime-and-justice developments related to this cyber threat.
3. Amidst the ongoing crisis, the cybersecurity community is urging companies to prioritize cybersecurity technology investments to safeguard their digital assets and avoid becoming the next target of ransomware operations such as SafePay.
4. In light of the SafePay ransomware attack on Ingram Micro and other recent high-profile cyber incidents, policymakers are discussions to enact stricter regulations on the use of technology in businesses to enhance overall cybersecurity and minimize vulnerabilities.

Read also: