Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Major US IT product and service provider Ingram Micro has revealed that it suffered a ransomware attack leading up to the Fourth of July weekend that led to systems being taken offline.
In a statement on its website, Ingram Micro said it detected ransomware on its systems and has now launched an investigation.
“Ingram Micro recently identified ransomware on certain of its internal systems,” the company said.
“Promptly after learning of the issue, the company took steps to secure the relevant environment, including proactively taking certain systems offline and implementing other mitigation measures.
“The company also launched an investigation with the assistance of leading cyber security experts and notified law enforcement.”
At the time of writing, Cyber Daily has observed that the “About us” page of the Ingram Micro website is offline, but the home page is accessible.
Additionally, the Australian Ingram Micro website warns of an outage resulting from a cyber incident.
While Ingram Micro has not revealed the threat actor behind the incident, cyber publication BleepingComputer reported that employee devices had been injected with the ransom note of what claims to be the SafePay ransomware group.
“Greetings! Your corporate network was attacked by SafePay team,” the note said.
“Your IT specialists made a number of mistakes in setting up the security of your corporate network, so we were able to spend quite a long period of time in it and compromise you.”
The letter adds that a network misconfiguration allowed the group to gain access to the Ingram Micro network and that “all files of importance” have been encrypted, while the ones of most interest to the threat actors were exfiltrated.
“We have in possession on [sic] your files, such as financial statements, intellectual property, accounting records, lawsuits and complaints, personnel and customer files, as well as files containing information on bank details, transactions and other internal documentation.”
The threat actor also said Ingram Micro has seven days to pay the ransom to ensure data is deleted from the threat actor’s servers and decrypted on Ingram Micro’s.
SafePay’s ransom note appears to be word for word the same as previous claims, besides the number of days until ransom payment is due, suggesting that the data the group claims to have stolen in the ransom note may not be accurate to what was actually stolen.
Following the discovery of the breach, Ingram Micro reportedly told employees to work from home and not to use Ingram Micro’s GlobalProtect VPN.
Palo Alto Networks told BleepingComputer that threat actors likely used the VPN gateway to gain access.
“At Palo Alto Networks, the security of our customers is our top priority. We are aware of a cyber security incident impacting Ingram Micro and reports that mention Palo Alto Networks’ GlobalProtect VPN,” Palo Alto Networks told BleepingComputer.
“We are currently investigating these claims. Threat actors routinely attempt to exploit stolen credentials or network misconfigurations to gain access through VPN gateways.”
Who is SafePay?
SafePay is a relatively new player in the ransomware game, having first been observed active in October 2024.
The group has been observed targeting businesses in Australia, the United Kingdom, the United States, Italy, New Zealand, Canada, Belgium, Brazil, Germany, Barbados, and Argentina, and, according to the group, is not a ransomware-as-a-service (RaaS) operation.
“SafePay ransomware has never provided and does not provide the RaaS,” it said on its dark web leak site.
Be the first to hear the latest developments in the cyber industry.
