Fraud Management & Cybercrime
,
Incident & Breach Response
,
Ransomware
SafePay Ransomware Blamed for Prolonged System Outage
Global tech distributor and service provider Ingram Micro confirmed days after a widespread IT outage that a ransomware attack disrupted internal systems.
California-headquartered Ingram Micro ranks among the largest global distributors of technology products, delivering hardware and software to businesses and offering managed cloud services. It reported nearly $48 billion worth of sales during 2024.
The company is currently experiencing a service disruption impacting software licensing and halting customers access to certain products that depend on Ingram Micro’s backend systems. A Monday filing with U.S. federal regulators directs investors back to a Saturday press release for information. A company spokesperson similarly directed Information Security Media Group’s request back to the press release.
Ingram Micro disclosed the incident following reports that extortion demands associated with the SafePay ransomware group appeared on employee devices. Ingram Micro stopped short of naming the ransomware group involved. The ransom note format matched those previously used by SafePay, an increasingly active operation that has racked up more than 220 victims since it emerged in November 2024.
On Reddit, multiple users reported that the outage remains unresolved and that they are still unable to access the company website. “Their website has been down since this AM (EST) and none of the departments are answering emails,” wrote a poster on Friday around 3 p.m. “I can’t even log in to the portal,” complained another in a late Sunday night post.
It remains unclear whether any data was exfiltrated in this incident or whether systems were encrypted.
Unnamed sources told BleepingComputer that hackers apparently breached the company through the Palo Alto GlobalProtect VPN. In a statement, the cybersecurity company said that it is investigating the incident. “Threat actors routinely attempt to exploit stolen credentials or network misconfigurations to gain access through VPN gateways.”
If SafePay hackers did breach Ingram Micro through GlobalProtect, it wouldn’t be the first time the apparently Russian-speaking group used stolen VPN credentials to hack a corporation. Managed endpoint security firm Huntress documented two such incidents in 2024. By the time data protection firm Fortra wrote a June 27 blog post profiling SafePay, it characterized it as a group “known for breaking into organizations by using stolen VPN or RDP.”
Earlier this year, SafePay was involved in a ransomware attack on a North Carolina-based laboratory services provider. The incident, discovered in January and reported to federal regulators in May, affected nearly 236,000 individuals.
A relatively new ransomware strain first observed in October 2024, SafePay has since been linked to attacks across multiple sectors and regions, including the United States, United Kingdom, Australia, Canada and Germany.
The operation is known for encrypting files with a .safepay extension and dropping a ransom note titled readme_safepay.txt. It employs a range of advanced tactics, starting with exploiting exposed remote desktop protocol endpoints and misconfigured legacy systems, disabling security features using living off the land Binaries, escalating privileges via user access control bypass techniques, and terminating critical processes and services to prevent recovery.
It also conducts data exfiltration using tools like WinRAR and FileZilla before initiating encryption, maximizing operational disruption and leverage for extortion.
