Ingram Micro Suffers from Ransomware-Involved Technical Difficulties
Since last Thursday, Ingram Micro has been experiencing significant technical issues, which have now been confirmed to be caused by a ransomware attack. The company officially acknowledged the incident over the weekend, revealing that they identified the presence of ransomware on some of their internal systems. However, they have chosen to divulge very limited details about the nature of the attack, including there being no announced timeline for system recovery or restoration.
Despite the lack of specific information, it is clear that the cybersecurity breach has disrupted several of Ingram Micro’s operations. The company has yet to specify when full recovery will be possible, leaving many partners and customers uncertain about the duration of the outage.
Potential Attribution to SafePay Threat Group
There are strong indications that the ransomware incident involving Ingram Micro might be linked to the threat group known as SafePay. This clandestine organization has been active at least since 2024 and is believed to incorporate former members of well-known cybercriminal groups such as BlackCat and LockBit. SafePay publicly claims to have victimized approximately 200 organizations, with a notably high number of targets based in Germany. The group promotes its actions through a showcase website, which prominently features German-speaking victims, reinforcing the likelihood of a European-oriented operation.
Exploiting VPN Infrastructure Without Multi-Factor Authentication
One of the suspected methods of infiltration into Ingram Micro’s network is through the exploitation of virtual private network (VPN) platforms. SafePay appears to leverage insecure VPN gateways as an initial entry point into corporate networks. In this case, the attacker likely exploited Ingram Micro’s VPN service, which employs the GlobalProtect solution from Palo Alto Networks. The attack was possibly facilitated by the absence of multi-factor authentication (MFA) on this VPN connection, allowing malicious actors to gain access more easily.
As a consequence of the breach, critical platforms such as IMpulse and Xvantage are currently offline. This downtime not only hampers logistical operations but also raises concerns regarding potential security ramifications. Specifically, there is a risk that the attackers may have gained administrative privileges delegated to Ingram Micro’s tenants, especially impacted those using Microsoft 365 services. This situation underscores the heightened security threats posed by the attack, as compromised admin privileges can lead to widespread access and control over sensitive corporate environments.
Despite these disruptions, Ingram Micro’s financial results for fiscal year 2024 show the company posted a net profit of €264 million on revenues totaling €48 billion, which have remained stable compared to the previous year. Nevertheless, the ongoing cyberattack poses immediate operational challenges, and the full scope of the damage remains uncertain.
