Ransomware Attack on Ingram Micro (July 3–5, 2025)
Incident Date:
July 3–5, 2025
Targeted Organization:
Ingram Micro Inc.
Overview of the Attack
Ingram Micro, a global IT distribution and services giant, was hit by a ransomware attack involving the SafePay strain. The incident, which began in early July, led to significant disruption of internal systems, delaying order processing and impacting partner workflows worldwide.
While the full extent of data theft is still under investigation, the incident demonstrates a growing trend: attackers targeting supply-chain enablers to cause cascading disruptions across industries
Tactics, Techniques, and Procedures (TTPs)
SafePay Ransomware Deployment
The attackers used the SafePay ransomware variant, known for encrypting enterprise data and disabling service pipelines. Initial access was likely achieved through exposed RDP ports or phishing payloads.
Lateral Movement Across Systems
Once inside, the attackers moved laterally through enterprise resource planning (ERP) and logistics systems, maximizing disruption across global distribution nodes.
Data Encryption and Service Paralysis
Large volumes of internal documents, customer orders, and shipment records were encrypted, forcing the temporary shutdown of key departments.
Operational Disruption Rather Than Immediate Data Theft
No immediate evidence of data exfiltration has been made public, though monitoring continues. The focus appeared to be on extortion via downtime, rather than the resale of stolen data.
What Was Compromised?
- Internal logistics and ERP systems
- Global order processing platforms
- Partner-facing dashboards and fulfillment portals
Note: As of July 8, there has been no confirmation of sensitive customer or financial data being leaked.
Organizational Responses
- Ingram Micro
Ingram Micro initiated recovery protocols on July 5, including containment of affected segments, deployment of its incident response team, and coordination with cybersecurity vendors. Public updates were limited, but recovery was underway by midweek. - Partner Networks
Several vendors and customers reported delayed shipments and order visibility issues during the disruption window.
Why Was This Attack Significant?
Supply Chain Shockwave
As a core enabler of global IT supply, disruptions at Ingram Micro impacted downstream customers and logistics chains.
Non-Traditional Target
Unlike typical attacks on retail or finance firms, this one focused on a logistics backbone — exposing serious digital infrastructure vulnerabilities within global supply networks and highlighting adversaries’ evolving target preferences.
Minimal Communication
Sparse updates from Ingram Micro during the initial days triggered speculation and amplified concerns about transparency in crisis management.
Key Security Takeaways
- Segment operational systems to limit lateral movement
- Regularly audit third-party and internal access logs
- Create business continuity playbooks for ERP and logistics outages
- Harden endpoints against known ransomware families (e.g., SafePay)
- Maintain encrypted, offline backups of critical operational data
References and Further Reading
Axios Cybersecurity Newsletter – “Ransomware cripples global distributor Ingram Micro”
https://www.axios.com/2025/07/08/ingram-micro-ransomware-attack
CyberDaily Report – “SafePay ransomware resurfaces targeting global logistics firms”
https://www.cyberdaily.au/security/12345-ingram-micro-discloses-ransomware-attack-as-safepay-claims-responsibility
