The SafePay ransomware group has issued a serious threat against Ingram Micro, claiming to have stolen 3.5 terabytes of confidential data following a cyberattack that took place earlier this month. The attackers are now warning that they will leak the information if their demands are not met.
For those unfamiliar, Ingram Micro is one of the world’s largest technology distributors. The company works with resellers, managed service providers, and businesses in over 160 countries, offering everything from hardware and software to cloud solutions, logistics services, and specialized training.
Although rumors about the attack had been circulating since early July, it was only this week that SafePay publicly confirmed responsibility, adding Ingram Micro to its leak site on the dark web as part of its pressure strategy.
Ingram Micro listing on SafePay's leak site (Source: BleepingComputer)
The SafePay ransomware group emerged on the scene in September 2024 and has only increased its activity since then. In less than a year, they’ve added over 260 companies to their leak site on the dark web—though the actual number of victims is likely much higher, as they only publicize cases where the ransom is not paid.
Their modus operandi follows a familiar yet effective pattern: they steal confidential documents before encrypting systems, then threaten to publish the information if they aren’t paid. It’s the classic “double extortion” tactic that has become common in recent years, but SafePay has taken it to another level.
Since early 2025, SafePay has established itself as one of the most active and aggressive ransomware groups, taking advantage of the void left by dismantled or inactive gangs such as LockBit and BlackCat (ALPHV).
One of the most high-profile cases this month has been the attack on Ingram Micro, one of the largest technology companies in the world. The attack caused significant disruption to its global operations: employees were sent to work from home, the web portal went offline, and ordering systems were completely disconnected.
Following the attack, the company acted swiftly. It implemented urgent measures including corporate-wide password resets, enhanced access with multi-factor authentication (MFA), and worked around the clock to restore VPN access for its staff. Within days, it had restored much of its internal systems, enabling teams to resume their regular tasks and bring the ordering platform back online.
Just four days after officially disclosing the incident, Ingram Micro issued a statement confirming that they were fully operational in all regions where they conduct business. They assured that their teams were working at full capacity to continue supporting customers and partners without major disruptions.
Read more: How to detect and respond to a ransomware attack with TecnetProtect
Although all signs point to SafePay being behind the attack on Ingram Micro (the group even listed the company on its own leak site), the company has not publicly confirmed the identity of the attackers or whether any confidential data was stolen.
This is a common practice in such cases. Companies tend to be cautious when sharing information during an active investigation, especially when there are legal implications, risks to customers, or ongoing recovery processes.
What’s happening with SafePay clearly reflects how ransomware has evolved: it’s no longer just about locking files, but about extorting victims with the threat of publicly exposing sensitive information. The troubling part is that these groups are operating with increasingly professional methods, almost like organized criminal enterprises.
With SafePay gaining ground and big names like Ingram Micro appearing on its list, the message is clear: no organization is immune to the risk.