Ingram Micro Under Ransomware Attack: What Happened

What happened to Ingram Micro?

Ingram Micro, one of the world’s largest IT distributors, confirmed that it was the victim of a ransomware attack that disrupted its operations starting July 3, 2025.

The company proactively took certain systems offline, affecting platforms such as Xvantage and Impulse, which are critical for:

• Order processing
• Licensing services
• Supply chain management for MSPs and resellers

Operations were partially restored after July 5, but disruptions continued for days across different regions.

‍

Who is behind the attack?

The ransomware group SafePay claimed responsibility for the attack. SafePay is an emerging but highly active threat actor that:

• Has targeted over 220 organisations globally by mid-2025
• Was responsible for ~18% of ransomware activity in May 2025.
• Utilises double extortion tactics, encrypting files while threatening to leak stolen data if ransoms are unpaid

‍

SafePay’s key tactics include:

• Has targeted over 220 organisations globally by mid-2025‍
• Exploiting vulnerabilities in GlobalProtect VPNs and RDP portals‍
• Using stolen or purchased credentials from dark web marketplaces‍
• Moving laterally within networks lacking strong segmentation
• Exfiltrating data before deploying ransomware for maximum leverage

‍

Impact on Ingram Micro and its customers

This attack has highlighted the systemic risk of ransomware in the IT distribution sector, with:

1. Service outages affecting thousands of MSPs and resellers globally
2. Delayed product shipments and license provisioning, disrupting end customers
3. Potential exposure of sensitive data, raising compliance and reputational risks
4. Increased demand for cyber risk insurance and continuity planning

‍

Broader industry implications

Ingram Micro’s role as a critical distributor for hardware, software, and cloud solutions means:

• Vendors face channel disruptions, delaying sales pipelines
• MSPs and resellers lose revenue due to operational downtime
• SMBs and enterprises experience indirect IT service delays

This underscores how a single ransomware attack on a distributor can ripple across global IT ecosystems.

‍

Lessons learned from the Ingram Micro ransomware attack

1. Third-party and supply chain risk is real

Organisations must treat their distributors, cloud providers, and MSPs as extensions of their own attack surface. Due diligence, contractual security requirements, and continuous monitoring are critical.

2. VPN and remote access security must improve

SafePay exploited VPN credentials, a common entry point in modern ransomware attacks. Zero Trust architectures, MFA, and credential hygiene are essential defences.

3. Incident response and communication are key

Ingram Micro’s rapid takedown of systems helped contain the attack, but proactive business continuity planning is needed to minimise customer impact during downtime.

4. Regular TLPT (Threat Led Penetration Testing) is non-negotiable

Simulating ransomware scenarios helps organisations uncover vulnerabilities in segmentation, privileged access, and lateral movement pathways before attackers do.

‍

How Apolo Cybersecurity can help

At Apolo Cybersecurity, we specialise in helping IT distributors, MSPs, and enterprises:

• Conduct TLPT assessments simulating real ransomware tactics
• Build Zero Trust architectures and secure VPN configurations
• Implement SOC 24/7 monitoring for early detection and rapid response
• Strengthen third-party risk management and contractual security requirements

👉 Request your free security audit and resilience plan today

‍