Ingram Micro, one of the world’s largest IT distributors, is facing mounting pressure after the SafePay ransomware gang claimed responsibility for a devastating cyberattack and is now threatening to leak a massive trove of stolen data.
Ransomware Hits Ingram Micro Operations
The incident began on July 3, 2025, when Ingram Micro employees started receiving ransomware pop-ups. Core systems, including the GlobalProtect VPN and order processing platforms, were reportedly crippled, causing widespread operational disruptions. The company quickly launched an investigation and began working with cybersecurity experts to contain the attack.
By July 9, Ingram Micro announced that it had restored its global operations. Order processing services were resumed via electronic platforms, phone, and email across all regions.
SafePay Steps Forward with Extortion Threat
Weeks after recovery efforts began, the ransomware group SafePay added Ingram Micro to its leak site on July 29. The gang is now threatening to release 3.5 terabytes of stolen data unless the company pays a ransom by August 1. This data reportedly includes corporate documents, financial information, and possibly sensitive internal communications.
SafePay’s extortion post includes samples of allegedly stolen files to prove their claim and increase pressure. The group made it clear that public data exposure would follow non-compliance with the demand.
Who Is SafePay?
SafePay is a relatively new ransomware group, first surfacing in September 2024. Despite its short time in the threat landscape, it has already built a reputation for effective double-extortion tactics. In example, encrypting data while exfiltrating it for additional leverage.
Security researchers believe the group does not operate under a ransomware-as-a-service model. Instead, SafePay appears to be a self-contained operation with a focused, technically competent team.
Ingram Micro’s Response
Ingram Micro has remained largely tight-lipped about the ransom demands. While the company confirmed its systems are back online and business operations restored, it has not disclosed whether any data was stolen or whether it intends to negotiate with the attackers.
The company is working with law enforcement and cybersecurity consultants to further assess the scope of the attack and potential data exposure.
Risk of Data Exposure
If SafePay follows through with its threat, the release of 3.5TB of data could have serious consequences—not only for Ingram Micro but for its partners, clients, and vendors around the globe. The nature of the data remains uncertain, but given Ingram Micro’s role as a critical distributor of hardware, software, and cloud services, the fallout could be substantial.
Final Thoughts
The SafePay ransomware attack on Ingram Micro highlights the growing threat of double-extortion tactics and the serious implications of data theft in the tech supply chain. With the ransom deadline approaching fast, all eyes are on whether Ingram Micro will hold its ground or cave to the pressure. Either way, the incident serves as a stark reminder of the need for robust cybersecurity defenses and incident response strategies in today’s volatile threat landscape.
