Ransomware group threatens to release 3.5TB of data
Image:
Ingram Micro is still recovering from a cyberattack on 9th July
A ransomware group is threatening to release terabytes of data allegedly stolen from IT distributor Ingram Micro, which suffered a cyberattack three weeks ago.
The SafePay ransomware group has threatened to release 3.5 terabytes of data it claims to have stolen from distribution giant Ingram Micro, adding pressure to the company’s ongoing recovery efforts following the cyberattack earlier this month.
SafePay listed Ingram Micro, one of the world’s largest B2B technology distributors, as a victim on its leak site on 29th July, setting 1st August deadline for the public release of the compromised data.
The development is a hallmark move for ransomware gangs seeking leverage through public extortion, and suggests Ingram Micro refused to pay a ransom demand.
While Ingram Micro has not confirmed SafePay’s involvement, the group’s claim and timing raise new concerns about the breach’s scope.
The distributor, which provides services ranging from hardware and software sales to cloud solutions and logistics, has not issued an update since 9th July – the date it declared global operations restored.
“Ingram Micro is pleased to report that we are now operational across all countries and regions where we transact business,” its earlier statement reads.
“Our teams continue to perform at a swift pace to serve and support our customers and vendor partners. We are grateful for the support we’ve received from our customers and industry colleagues.”
However, behind that confident messaging signs of a more drawn-out recovery are evident.
Websites still affected
Although Ingram Micro claims its global operations are functioning, some systems and websites are yet to come back online.
This week, cybersecurity analysts observed the company restoring access to several of its previously offline web portals, including the security site for its Middle East, Turkey and Africa (META) region.
The META website, which showcases the firm’s security consulting and training services, is now accessible, but several subdomains remain unreachable.
After its global IT outage, Ingram Micro instructed employees to work from home and shut down ordering systems and other online tools.
The company has since performed a complete reset of employee passwords and implemented organisation-wide multi-factor authentication as part of its recovery process.
Sources who spoke with The Register in the early days of the attack criticised Ingram Micro’s communication strategy, describing confusion over how to obtain reliable information and a lack of timely updates.
The SafePay threat
SafePay ransomware emerged in September 2024 and has quickly become one of the most active cyber-extortion operations worldwide. Known for stealing data prior to encryption, the group uses threats of public leaks on the dark web to coerce victims into payment.
To date, SafePay has listed over 260 confirmed victims on its leak site, though the real number is believed to be higher.
Their rise follows the decline of notorious ransomware groups like LockBit and BlackCat (ALPHV).
As of now, Ingram Micro has not publicly attributed the breach to SafePay or confirmed whether sensitive data was stolen. The company’s silence, combined with the gang’s threats, has left customers and partners in the dark as the 1st August deadline looms.
