[ad_1]
Ingram Micro, the $47 billion annual revenue technology reseller, has been hit by ransomware, delaying shipments to customers globally.
The IT channel heavyweight provides hardware, financing, and lifecycle management. Particularly worrying some security observers, it also supports large numbers of Managed Service Providers (MSPs).
Confirming the attack, the firm said on June 5 that it is “working diligently to restore the affected systems so that it can process and ship orders” and apologised for disruption to “customers, vendor partners, and others…”
Bleeping Computer said it had been sent a ransomware note that confirmed the attack as being associated with the “SafePay” ransomware.
It was not immediately clear if any devices had been encrypted before Ingram Micro preemptively shut down systems to minimise contagion.
The SafePay ransomware group was first reported on by Huntress in November 2024 after it responded to an incident in which the attackers had hit an exposed RDP port. Bleeping Computer cited “sources” as saying Ingram Micro was hit via its Palo Alto GlobalProtect VPN platform.
It was unclear whether this was via stolen credentials or an unpatched vulnerability, for example 2024’s widely exploited CVE-2024-3400.
See also: Teenage n00bs and criminal syndicates: Newly revealed FunkSec details show ransomware’s democratisation via AI
Germany security company DCSO said it has previously seen SafePay hit targets – many have been in Germany – via “password spraying against the VPN gateway.” In its incident response it had also seen the group actively search for “backup solutions in the affected environment and encrypted them, in addition to deleting Volume Shadow Copies (VSC), all in an effort to inhibit recovery activities,” it said in a May 2025 post.
“All encryption activities happened within virtual machines (VMs), although the attackers were in the possession of the necessary privileges to perform encryption of the VMs on the hypervisor level. This could indicate that the SafePay ransomware group at the time of writing was not in the possession of a ransomware variant compatible with hypervisors such as VMware ESXi,” it added in its malware analysis.
Among systems reportedly impacted are Ingram Micro’s flagship Xvantage platform and Impulse license provisioning platform. The firm is referring enquiries about platform impact back to a terse press release.
(Xvantage, said Ingram Micro CEO Paul Bay on a May 2025 earnings call, “connects our team members, our vendor partners and our customers through its real-time data mesh powered by four petabytes of data, 32 million lines of code and more than 300 AI and machine learning models… harmonizes disparate data sources into a unified platform, unlocking real-time insights, AI analytics and rich data visualizations.”)
Attackers increasingly target backups and as per NCSC guidance, organisations should be looking to implement the “3-2-1” rule; at least 3 copies, on 2 devices, and 1 offsite. Often in ransomware incidents restoration from backups has not been well rehearsed or wargamed with little institutional knowledge about how to backup when AD access is lost, or challenges getting to off-site backups.
Single ransomware attack has $2.45 billion impact – with “direct response” costs hitting $776 million
[ad_2]
Source link
