A Deeper Look at SafePay Following Ingram Micro Attack

By now, virtually everyone in the channel knows Ingram Micro suffered an attack in early July that led to days of partial downtime. The global platform provider was hit by a ransomware group that first surfaced in 2024: SafePay.

Group now considered one of the most active in ransomware activity

Despite sounding like a secure online commerce platform, SafePay is the fourth most active ransomware group, as of March 2025, and became the most active group in May, according to one report.

On July 3, Ingram Micro’s website and online ordering systems went down, impacting their business in the U.S., Europe, and Asia, for which SafePay has claimed responsibility. Ingram Micro has not attributed the attack to any actor, however.

The company has since resumed normal operations and is once again operating globally, with online orders available.

The attack on Ingram Micro had a significant impact not only on the company itself but also on the entire ecosystem. An attack on a major third-party distributor is a significant event for most channel partners.

“The Ingram Micro ransomware incident underscores a critical inflection point: adversaries are increasingly targeting third-party distributors to exploit the supply chain ripple effect. This isn’t just about silenced servers– it’s a strategic escalation,” said Douglas McKee, executive director of threat research at SonicWall. “Organizations must stop viewing these distributors as peripheral and instead harden them as critical infrastructure. From segmented networks to zero-trust VPN access and continuous validation of MSP channels, we need to build resilience upstream, not just downstream. And that starts with embedded product security testing– proactively validating the software and systems in your stack before attackers get the chance.”

So, where did SafePay come from, and what do we know about this group so far?

Emergence of SafePay ransomware group

According to a report by Quorum Cyber, the first confirmed activity of SafePay ransomware occurred in September 2024, less than a year ago.

The group’s method of breach appears to involve operators gaining initial access to victim endpoints through a VPN gateway using valid credentials, likely obtained through stealware or purchased from dark web markets. SafePay employs double-extortion techniques, exfiltrating data before encrypting it, only to subsequently threaten to leak that stolen data unless a ransom is paid. 

In March 2025, SafePay had 43 confirmed victims to their dark web Data Leak Site (DLS), targeting both public and private sectors worldwide. The group has particularly targeted the U.S., Germany, and the U.K. in its attacks, with the most targeted sectors being manufacturing, construction, education, retail, and agriculture.

In March and April 2025, SafePay conducted coordinated targeting campaigns in two separate 24-hour periods against organizations based in Germany. The first was conducted on March 30, with 11 German organizations submitted to the DLS, and the second on April 17, with 10 more organizations added.

“SafePay is highly likely based within Russia as the group does not allow targeting of Commonwealth of Independent States (CIS),” Quorum’s research states. “This is commonly a trait of groups based within Russia.”

Threat intelligence enterprise Cyble released a ransomware landscape report for May 2025, highlighting SafePay as the top ransomware group for the month, a period during which ransomware groups claimed 384 victims.

SafePay is responsible for 58 claimed victims in May, according to Cyble, and 198 victims in total since the group first emerged.

Strategic partnership is one area where channel partners are looking to help defend against ransomware attacks. Read more about Halcyon’s latest partnership with Pax8 to make their anti-ransomware platform available to Pax8 partners.