Ingram Micro struck by ransomware attack, causing ongoing system outage

Ingram Micro Holding Corporation has acknowledged that it fell victim to a ransomware attack, but refuses to share details about the incident.

Incident timeline & discovery

• July 3, 2025 (≈08:00 AM ET) - core systems went offline
• July 3, 2025 (later) - customers worldwide reported that online ordering systems and websites were unresponsive
• July 4, 2025 - systems shut down, employees instructed to work from home
• July 5, 2025 (19:07 PDT) - official press release issued (per SEC Form 8-K): Ingram Micro “identified ransomware on certain internal systems,”
• July 6, 2025 - public confirmation by Reuters; SafePay ransomware identified based on ransom notes; VPN breach confirmed
• July 7–8, 2025 - partial service recovery began: website came back online, however, order and licensing systems still offline. Investigation and system restoration ongoing

“Ingram Micro recently identified ransomware on certain of its internal systems. Promptly after learning of the issue, the company took steps to secure the relevant environment, including proactively taking certain systems offline and implementing other mitigation measures,” the company wrote in an online press release regarding the incident.

Ingram Micro, a distributor of information technology products and services, continues its press release by saying it launched an investigation into the matter. An outside third-party cybersecurity firm is assisting. Law enforcement authorities have also been notified of the incident.

“Ingram Micro is working diligently to restore the affected systems so that it can process and ship orders, and the company apologizes for any disruption this issue is causing its customers, vendor partners, and others,” the company concludes.

Ingram Micro is declining to share more details about the ransomware attack. For example, it’s unclear when the attack took place, what systems were infiltrated, what data the hackers stole, or what the ransom demand is.

According to BleepingComputer, which has seen the attackers' ransom note, the SafePay ransomware operation is responsible for the attack. Sources told the news outlet that the gang breached Ingram Micro’s network through its GlobalProtect VPN platform last Thursday.

Once the attack came to light, employees were told to work from home. As a precaution, the company decided to shut down some of its systems, including GlobalProtect VPN, its AI-powered Xvantage distribution platform, and the Impulse license provisioning platform.

The SafePay ransomware operation was first seen in November 2024, but has claimed over 220 victims since then. It is known for breaching corporate networks through VPN gateways using compromised credentials and password spraying attacks.