Ingram Micro has confirmed it was hit by a ransomware attack following several days of unexplained service disruptions. The outages, which began last Thursday on 3 July 2025, affected the company’s website, online ordering systems and various internal platforms.
Initially, the company attributed the downtime to unspecified “IT issues,” without revealing the underlying cause. However, BleepingComputer learned that the disruption stemmed from a ransomware incident linked to the SafePay group, known for infiltrating corporate networks through VPN gateways, often using password spray attacks or previously leaked login credentials.
On Sunday, Ingram Micro issued a formal statement confirming the ransomware attack. The company said it had taken immediate steps to secure its systems and launched an investigation with the help of leading cybersecurity experts.
“Ingram Micro recently identified ransomware on certain of its internal systems,” the statement read. The company also notified law enforcement authorities and is continuing to assess the full extent of the incident.
According to the BleepingComputer’s sources, employees began noticing ransom notes on their devices early Thursday morning. It remains unclear at this time if any data was encrypted or extracted from Ingram Micro’s systems.
The attackers are believed to have gained entry through Ingram Micro’s GlobalProtect VPN system, possibly using compromised credentials. In response to the breach, the company directed some employees to work from home and took key systems offline, including the VPN service itself.
The company says it is working urgently to restore affected systems in order to resume processing and shipping orders. It has also issued an apology for the disruption caused to its customers, vendor partners, and other stakeholders.
(Source: Ingram Micro [press release] / BleepingComputer)
