Ingram Micro, a global technology distributor, has confirmed that a ransomware attack is behind a major IT system outage that has affected its operations. The incident, which began several days ago, has disrupted software licensing services and blocked customer access to products that rely on the company’s backend systems.
The California-based firm, which recorded nearly $48 billion in sales in 2024, acknowledged the attack in a filing with US federal regulators and referred back to an earlier press release for further information. Reports suggest the attack is linked to the SafePay ransomware group, although Ingram Micro has not officially named the group responsible.
Several employees reported seeing ransom demands on their devices, with the note format matching those used by SafePay. This ransomware attack group, active since November 2024, has targeted over 220 organizations globally. It is known for encrypting files using a .safepay extension and dropping ransom notes titled readme_safepay.txt.
Reddit users confirmed that the outage is still unresolved, with some saying they were unable to access the website or contact departments. One user wrote, “Their website has been down since this AM (EST) and none of the departments are answering emails,” while another complained, “I can’t even log in to the portal.”
Sources revealed that hackers may have breached Ingram Micro through the Palo Alto GlobalProtect VPN. A cybersecurity company mentioned it is investigating the incident and added, “Threat actors routinely attempt to exploit stolen credentials or network misconfigurations to gain access through VPN gateways.”
SafePay has previously used stolen VPN credentials to breach organizations. In fact, it has been involved in several high-profile cyberattacks, including one earlier this year targeting a laboratory services provider in North Carolina that impacted nearly 236,000 people.
SafePay uses advanced methods to carry out its attacks. It exploits exposed remote desktop protocol endpoints, disables security features, escalates access privileges, and shuts down critical processes to prevent recovery. The group also exfiltrates data using tools like WinRAR and FileZilla before launching file encryption, increasing pressure on victims to pay ransoms.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter |The Mainstream formerly known as CIO News Whatsapp Channel | The Mainstream formerly known as CIO News Instagram
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
