The threat actor linked to the disruptive ransomware attack against Ingram Micro has shunned the prevalent ransomware-as-a-service model—even as it has rapidly become a major player in the cybercrime world, security researchers tell CRN.
The threat actor linked to the disruptive ransomware attack against distribution giant Ingram Micro, SafePay, has taken an unusual approach to cyberattacks that makes the hacker group more formidable to defend against, cybersecurity experts told CRN.
Notably, SafePay has shunned the prevalent ransomware-as-a-service model—which divvies up the steps of a ransomware attack among various entities—and instead carries out all phases of a cyberattack on its own, according to the researchers.
[Related: Ingram Micro Attack Did Not Involve GlobalProtect VPN: Palo Alto Networks]
“They do the initial compromise. They exfiltrate the information. They do the negotiation with the victims,” said Santiago Pontiroli, lead security researcher at cybersecurity and data protection vendor Acronis. “Everything is done in-house.”
For example, SafePay has tended to use well-known tools such as FileZilla for exfiltrating data, which wouldn’t typically be flagged as suspicious. The group also customizes certain aspects of its ransomware attacks that can complicate detection and recovery, Pontiroli said.
“It highlights that everything they do is handcrafted,” he said. “I think this group is highly specialized.”
There’s no question that an “insular” group that bypasses the ransomware-as-a-service (RaaS) model, such as SafePay, can be assumed to possess a higher level of skill and experience than the average cybercriminal organization, according to GuidePoint Security’s Jason Baker.
“RaaS has taken off and proven resilient because it breaks down those barriers to entry and it distributes the skill requirements,” said Baker, threat intelligence consultant at Herndon, Va.-based GuidePoint, No. 37 on CRN’s Solution Provider 500 for 2025. “I would typically expect it to be harder and require more skill to [operate] an insular group than a simple RaaS outfit.”
Group’s Origins Unclear
Still, there’s no definitive evidence linking SafePay to high-profile threat groups such as LockBit, Alphv/Blackcat or Inc. Ransom, researchers told CRN. The reported use by SafePay of a ransomware variant similar to that of LockBit proves little, given that the LockBit builder code had been previously leaked, according to the researchers.
What’s more certain is that SafePay has rapidly emerged as a major player in the cybercrime world—and one that, judging by the impact from the Ingram Micro attack, is capable of causing significant disruption, experts said.
Ingram Micro’s online ordering systems have been down for nearly a week as of this writing, with the outage having begun July 3, according to a report from BleepingComputer. The IT distributor acknowledged the ransomware attack on July 5 and said Tuesday that its restoration efforts were continuing, with the U.S. having joined the list of countries that can now place orders over the phone or email.
SafePay Has ‘Picked Up Speed’
Researchers only became aware of SafePay in September 2024 and, initially, the group was known to claim between three and 10 victims per month, according to GuidePoint’s Baker.
However, that has recently shot up to between 30 and 40 victims per month claimed by SafePay, he said.
SafePay has undoubtedly “picked up speed very quickly,” Baker said, moving at a pace that has only rarely been seen in the past among ransomware groups, such as with Inc. Ransom.
So while the origins of SafePay are still unclear at this point, “anytime we see a group that’s been around for six months or less—and all of a sudden they’re netting 20, 30, 40 victims a month—that’s a big red flag for us that these are not new guys.”
