Since last Thursday, Ingram Micro, one of the world's largest technology companies, has been dealing with a major disruption to its systems. Its website and online ordering platform suddenly stopped working, and the company had not yet publicly explained what was happening.
However, it has now been revealed that the disruption was caused by a ransomware attack, specifically a variant called SafePay. The cyberattack reportedly began on Thursday morning and was so sudden that several employees found ransom notes directly on their devices, notifying them that their files had been encrypted.
Ingram Micro, which provides hardware, software, cloud services, logistics, and training solutions to thousands of businesses and service providers worldwide, has been forced to shut down several of its internal systems as part of its response to the incident.
The situation is still developing, but what is certain is that this is a serious attack that has affected the global operations of one of the key players in the technology supply chain.
What does the SafePay ransom note say, and how true is it?
The ransom note left by the attackers is related to SafePay, one of the most active ransomware gangs of 2025. Although the message claims that they stole a large amount of information, this type of threat is usually part of the same generic text they use in all their attacks, so it does not necessarily mean that they did so in this case.
It is also not entirely clear whether the files on the affected devices were actually encrypted, or whether it was just a warning to apply pressure.
SafePay ransom note found on devices (Source: BleepingComputer)
How did the attackers get in, and what did Ingram Micro do about it?
According to what we know, everything points to the attackers having entered Ingram Micro's system through its GlobalProtect VPN remote access platform, a tool that many companies use to enable their employees to work securely from outside the office.
Once the attack was detected, several teams at different locations were asked to work from home, while the company shut down several of its internal systems as a precaution. Employees were also instructed to stop using the VPN, as it appeared to have been one of the vulnerabilities exploited by the attackers.
Among the systems affected were Xvantage, Ingram's AI-powered intelligent distribution platform, and Impulse, its license provisioning tool. However, some key services such as Microsoft 365, Teams, and SharePoint continued to function normally, allowing for some level of internal communication to be maintained.
Until the day before the attack was officially confirmed, the company had not communicated to its staff or the public that it was ransomware. The only thing that had been said at the time was that there were ongoing technical problems, according to internal messages circulated within the organization.
SafePay, the ransomware behind the attack
The SafePay gang is relatively new; it has been known to exist since November 2024, but in a short time it has managed to do quite a bit of damage: more than 220 victims in different sectors, especially large companies.
What is worrying is that this operation often takes advantage of stolen credentials or misconfigurations in VPN networks, just as is believed to have happened in this case. Their modus operandi is not very sophisticated, but it is effective: they try combinations of leaked passwords and, when they manage to access a network, they move quickly within the system to encrypt files and, in some cases, steal data before launching the blackmail.
Read more: Ransomware in May 2025: SafePay and DevMan as Main Threats
Ingram Micro breaks its silence and confirms ransomware attack
Finally, on Sunday, July 6, Ingram Micro broke its silence and publicly confirmed that it had suffered a ransomware attack. In a brief statement, they said the following:
“Ingram Micro recently identified ransomware on some of its internal systems. As soon as we became aware of this, we took steps to protect the affected environment, including disconnecting certain systems and applying other containment measures. We also launched an investigation with the help of cybersecurity experts and notified the relevant authorities.”
In addition, they assured that they are working urgently to restore their systems and resume order processing, and apologized for the inconvenience this is causing to customers, partners, and suppliers. See the official statement issued by Ingram Micro here.
Palo Alto Networks responds
Today, July 7, Palo Alto Networks, the creator of the VPN software that was allegedly the gateway for the attack, also issued a statement. While they did not confirm or deny the specific use of their platform in this incident, they said the following:
“We are aware of the security incident affecting Ingram Micro and reports mentioning the use of our GlobalProtect VPN. We are currently investigating these claims. It should be noted that cybercriminals often exploit stolen credentials or misconfigurations to gain access through VPN gateways.”
In other words, there is no direct confirmation that the breach was the fault of the software, but they do acknowledge that this type of remote access is a frequent target for attackers when it is not properly configured or protected.
Read more: How to detect and respond to a ransomware attack with TecnetProtect
What does this attack teach us?
This case leaves us with a clear lesson: protecting the perimeter is no longer enough. A single compromised VPN access point was enough for the attackers to get in and move around the network as if they owned the place.
Things like multi-factor authentication (MFA), access control, network segmentation, and visibility with EDR-type tools are no longer a “plus” — they are the bare minimum.
And beware, SafePay is not just any group. Since it appeared in November 2024, it has already affected more than 220 organizations. So far, Ingram Micro is its biggest victim.
A call to CISOs and IT leaders
This isn't just about applying patches or putting up firewalls.
We need to take the zero trust model seriously and conduct realistic intrusion tests on a regular basis. Because if something like this can happen to a company the size and stature of Ingram Micro, how exposed are smaller environments or those with older infrastructure?
Some uncomfortable (but necessary) questions:
-
Is your VPN protected with MFA?
-
Are you monitoring what happens inside your network, not just what comes in or goes out?
-
Are you clear about what you would do if you woke up tomorrow with all your systems down?
This incident is not just cybersecurity news. It is a warning. A mirror in which many should look at themselves.
That is why at TecnetOne we focus on helping you avoid a situation like this. We know that every company is different, so we work with you to build a cybersecurity strategy that truly fits your business.
We offer solutions such as SOC as a Service, EDR, MFA, TecnetProtect, 24/7 monitoring, Zero Trust, and vulnerability analysis, but what matters is not just the technology, but how we use it to protect what really matters: your operations, your data, and your customers' trust. Would you like to know how to better protect your environment?
