Update 7/8/25: Updated article to make it clear that the VPN gateway was not compromised or exploited as part of this attack.
An ongoing outage at IT giant Ingram Micro is caused by a SafePay ransomware attack that led to the shutdown of internal systems, BleepingComputer has learned.
Ingram Micro is one of the world’s largest business-to-business technology distributors and service providers, offering a range of solutions including hardware, software, cloud services, logistics, and training to resellers and managed service providers worldwide.
Since Thursday, Ingram Micro’s website and online ordering systems have been down, with the company not disclosing the cause of the issues.
BleepingComputer has now learned that the outages are caused by a cyberattack that occurred early Thursday morning, with employees suddenly finding ransom notes created on their devices.
The ransom note, seen by BleepingComputer, is associated with the SafePay ransomware operation, which has become one of the more active operations in 2025. It is unclear if devices were actually encrypted in the attack.
It should be noted that while the ransom note claims to have stolen a wide variety of information, this is generic language used in all SafePay ransom notes and may not be true for the Ingram Micro attack.
Source: BleepingComputer
Do you have information about this or another cyberattack? If you want to share the information, you can contact us securely and confidentially on Signal at LawrenceA.11, via email at [email protected], or by using our tips form.
Sources have told BleepingComputer that it is believed the threat actors first gained access to Ingram Micro’s network through the company’s GlobalProtect VPN platform, likely using compromised credentials.
Once the attack was discovered, employees in some locations were told to work from home. The company also shut down internal systems, telling employees not to use the company’s GlobalProtect VPN access, which was said to be impacted by the IT outage.
Systems that are impacted in many locations include the company’s AI-powered Xvantage distribution platform and the Impulse license provisioning platform. However, BleepingComputer was told that other internal services, such as Microsoft 365, Teams, and SharePoint, continue to operate as usual.
As of yesterday, Ingram Micro has not disclosed the attack publicly or to its employees, only stating there are ongoing IT issues, as indicated by company-wide advisories shared with BleepingComputer.
The SafePay ransomware gang is a relatively new operation that was first seen in November 2024, accumulating over 220 victims since then.
The ransomware operation has been previously observed breaching corporate networks through VPN gateways using compromised credentials and password spray attacks.
BleepingComputer contacted Ingram Micro yesterday and today about the outages and ransomware attack, but did not receive a response to our emails.
Update 7/6/25: In a brief Sunday morning announcement, Ingram Micro has confirmed that they suffered a ransomware attack.
“Ingram Micro recently identified ransomware on certain of its internal systems,” reads Ingram Micro’s statement.
“Promptly after learning of the issue, the Company took steps to secure the relevant environment, including proactively taking certain systems offline and implementing other mitigation measures. The Company also launched an investigation with the assistance of leading cybersecurity experts and notified law enforcement.”
“Ingram Micro is working diligently to restore the affected systems so that it can process and ship orders, and the Company apologizes for any disruption this issue is causing its customers, vendor partners, and others.”
Update 7/7/25: Palo Alto Networks share the following statement with BleepingComputer regarding our reporting that it is believed the threat actors gained access through Ingram Micro’s VPN gateway.
“At Palo Alto Networks, the security of our customers is our top priority. We are aware of a cybersecurity incident impacting Ingram Micro and reports that mention Palo Alto Networks’ GlobalProtect VPN,” Palo Alto Networks told BleepingComptuer.
“We are currently investigating these claims. Threat actors routinely attempt to exploit stolen credentials or network misconfigurations to gain access through VPN gateways.”
Update 7/8/25: In an updated press statement, Ingram Micro says that they have started to bring systems back online.
“Today, we made important progress on restoring our transactional business. Subscription orders, including renewals and modifications, are available globally and are being processed centrally via Ingram Micro’s support organization,” reads the statement,
“Additionally, we are now able to process orders received by phone or email from the UK, Germany, France, Italy, Spain, Brazil, India, China, Portugal and Nordics. Some limitations still exist with hardware and other technology orders, which will be clarified as orders are placed.”
“To place subscription orders, customers should contact Unified Support. For general inquiries, customers should contact their sales representative.”
Sources have also told BleepingComputer that VPN access has been restored in some countries.
Palo Alto Networks has also confirmed that their products were not exploited or hacked as part of the breach.
“Palo Alto Networks can confirm that none of our products were either the source of the vulnerability or impacted by the breach,” Palo Alto Networks told BleepingComputer.
While cloud attacks may be growing more sophisticated, attackers still succeed with surprisingly simple techniques.
Drawing from Wiz’s detections across thousands of organizations, this report reveals 8 key techniques used by cloud-fluent threat actors.
