Ingram Micro has confirmed that a ransomware attack caused the service disruptions that impacted its systems over the July 4 holiday weekend.
The attack forced the company to take some of its internal systems offline, disrupting business operations and order processing for several days.
Ingram Micro, one of the world’s largest B2B technology distributors, said it launched an investigation and contacted law enforcement after it discovered ransomware on internal systems. The company has not disclosed who was behind the attack, but reports point to the SafePay ransomware group.
“Ingram Micro recently identified ransomware on certain of its internal systems,” the company said in a public statement. “Promptly after learning of the issue, the Company took steps to secure the relevant environment… and notified law enforcement.”
The company apologized forthe disruptions and said it is working to restore impacted platforms, including its Xvantage distribution and Impulse license provisioning systems.
Impact on operations and customer services
According to BleepingComputer, employees across various locations were told to work from home after the attack. Sources told the outlet that the attackers likely exploited Ingram Micro’s GlobalProtect VPN platform to gain access.
While core services, such as Microsoft 365 and Teams, continued to function, the company’s order processing systems and website operations were impacted.
A ransom note attributed to the SafePay group was found on employee devices, although it remains unclear whether any data was stolen or encrypted.
What happened?
The Ingram Micro cyber incident reportedly began Thursday, July 3, and resulted in an extensive internal shutdown.
At the time, Ingram Micro did not confirm or deny reports on the attack, simply referring to the issue as an “IT disruption.”
The company’s public confirmation came two days later, on Saturday, July 5, following pressure from cybersecurity reporters and affected partners. BleepingComputer was first to report the ransomware attack, citing sources with knowledge of the situation.
SafePay has been active since late 2024 and is known to target organizations via compromised VPN credentials and password spray attacks.
The group became the most active ransomware group in May 2025, responsible for 18% of all reported attacks that month, per NNC Group.
While the group’s ransom notes typically claim extensive data theft, such claims remain unverified.
Ingram Micro is a critical part of many partners’ stacks worldwide. It recently rolled out an AI enablement program to help those partners capitalize on the demand for AI solutions.