Exclusive: SafePay ransomware group finally lists Ingram Micro on leak site
Hackers claim to have stolen 3.5 terabytes of data during an attack confirmed by US IT giant, data to be published within days.
Weeks after Ingram Micro confirmed that it had fallen victim to a ransomware attack, the culprit has come forward and openly claimed responsibility for the hack.
While tech media outlet Bleeping Computer had seen the ransom note left by the attackers in early July and reported that the SafePay ransomware operation was behind the incident, the hackers themselves did not immediately list Ingram Micro as a victim on its leak site.
You’re out of free articles for this month
However, overnight on July 30, the hackers have finally listed the IT giant, claiming to have stolen 3.5 terabytes of data.
SafePay’s initial ransom note had a deadline of seven days to pay up or the data would be published, though the newly shared leak post appears to have extended that deadline. The group is now threatening to publish the data within three days.
Ingram Micro initially reported the incident on July 5.
“Ingram Micro recently identified ransomware on certain of its internal systems. Promptly after learning of the issue, the Company took steps to secure the relevant environment, including proactively taking certain systems offline and implementing other mitigation measures,” the company said in its initial advisory.
“The Company also launched an investigation with the assistance of leading cyber security experts and notified law enforcement.”
From July 7 Ingram Micro was able to start getting its business processes back online, with normal services continuing to resume through to July 8. On July 8, the company said the incident was “contained and remediated,” and by July 9 all global operations had been restored.
“Ingram Micro is pleased to report that we are now operational across all countries and regions where we transact business. Our teams continue to perform at a swift pace to serve and support our customers and vendor partners,” Ingram Micro said.
“We are grateful for the support we’ve received from our customers and industry colleagues. This is an industry based on strong and committed relationships that make all the difference.”
According to Bleeping Computer’s sources, SafePay likely gained initial access via the company’s GlobalProtect VPN platform. When Palo Alto Networks learned that its platform may have been the initial attack vector, it released its own statement.
“At Palo Alto Networks, the security of our customers is our top priority. We are aware of a cyber security incident impacting Ingram Micro and reports that mention Palo Alto Networks’ GlobalProtect VPN,” Palo Alto Networks told BleepingComputer.
“We are currently investigating these claims. Threat actors routinely attempt to exploit stolen credentials or network misconfigurations to gain access through VPN gateways.”
Cyber Daily has reached out to Ingram Micro for comment on the latest developments regarding this incident.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
