The threat group reportedly responsible for the attack against Ingram Micro is a new and highly active player in ransomware.
The threat group SafePay, which is reportedly responsible for the attack against Ingram Micro, is a new and highly active player in ransomware, according to security researchers.
IT distribution giant Ingram Micro confirmed Saturday evening that it had been impacted by a ransomware attack and that it is “working diligently to restore the affected systems so that it can process and ship orders.”
[Related: Ingram Micro Confirms Ransomware Attack, Working To Restore Systems To ‘Process And Ship Orders’]
CRN has reached out to Ingram Micro for further comment.
BleepingComputer had reported earlier on Saturday that Ingram Micro has been affected by a ransomware attack associated with the cybercriminal group known as SafePay.
Ingram Micro’s online ordering systems have been down since Thursday, according to BleepingComputer.
What follows are five things to know about the SafePay ransomware group.
A New Player
According to a June post from NCC Group, SafePay is a “newly emerging threat group” that has only been active since November 2024.
The post cited “suggestions that Safepay may be a rebrand of other well-known actors LockBit, Alph V, and INC Ransomware.”
LockBit was a highly prolific cybercriminal gang whose operations were disrupted in February 2024 by the FBI and other law enforcement agencies, while Alphv dissolved after the widely felt cyberattack against Change Healthcare.
Highly Active Group
Despite its status as a newcomer, SafePay was the most-active ransomware group in May 2025, according to the NCC Group research.
The report found that SafePay was responsible for 70 attacks in total during the month, or about 18 percent of all attacks.
If it turns out to be true that SafePay consists of members of prominent former ransomware groups such as LockBit and Alphv, “it would explain how a new group was able to attack in high volumes and at speed, as they would in fact be well-resourced and experienced threat actors under a new name,” NCC Group researchers said in the post.
Previous Attacks
A November 2024 incident that helped to bring SafePay to light was the ransomware attack against Microlise, a telematics provider based in the U.K. The attack reportedly included the theft of 1.2 TB of data.
Reported victims of SafePay attacks also included Marlboro-Chesterfield Pathology, an anatomic pathology lab based in North Carolina. In May, the lab disclosed that patient information for more than 200,000 patients had been compromised.
Attack Details Unclear
The specifics of the SafePay attack against Ingram Micro remain unconfirmed at this point, though BleepingComputer reported having seen a ransom note from the group.
While the site reported that it was not clear whether Ingram Micro employee devices had been encrypted, the ransom note did claim that a variety of data had been stolen in the attack — though the language may be boilerplate and not specific to the Ingram Micro incident, BleepingComputer noted.
VPN Breach Claimed
Citing sources with knowledge of the incident, BleepingComputer reported that an entry point for the ransomware attack was a compromise of the GlobalProtect VPN system used by Ingram Micro.
Palo Alto Networks, which is the maker of GlobalProtect, said in a statement provided to CRN that it is “aware of a cybersecurity incident impacting Ingram Micro and reports that mention Palo Alto Networks’ GlobalProtect VPN.”
“We are currently investigating these claims. Threat actors routinely attempt to exploit stolen credentials or network misconfigurations to gain access through VPN gateways,” the company said in the statement.
