Information technology products and services giant Ingram Micro Holding Corp. has confirmed that it was targeted by a ransomware attack that resulted in disruption to its services over the July 4 long weekend.

The ransomware attack is believed to have first struck the company on July 3, when Ingram Micro’s website and ordering systems first went down. According to BleepingComputer, the attack involved the SafePay ransomware group.

SafePay first emerged in September 2024 and uses a double extortion tactic — both encrypting data and stealing it before then demanding a ransom payment to provide a decryption key and to promise not to reveal the stolen data. In a summary of the group in June, security firm Forta LLC noted that unlike many ransomware groups in 2025, SafePay designs and deploys its ransomware campaigns itself and does not rely on affiliates — a ransomware-as-a-service model — to attack potential targets.

While Ingram Micro did not confirm the type of ransomware involved, the company did say that upon learning of the issue, it took steps “to secure the relevant environment, including proactively taking certain systems offline and implementing other mitigation measures.” The company has also launched an investigation with leading cybersecurity experts, notified law enforcement and is working on restoring affected systems.

The ransomware attack has also raised concern among Ingram Micro’s customers, with Dark Reading reporting that one executive at a managed service provider cited fears that ransomware actors could use Ingram Micro platforms to access its network. The executive added that his company is removing third-party privileged access to its Microsoft tenant to close off the potential attack vector.

Though not officially confirmed, Bleeping Computer, citing sources, also claims that the threat actors breached Ingram Micro through its GlobalProtect VPN platform.

As for what may happen next, Rebecca Moody, head of data research at tech research site Comparitech, told SiliconANGLE that SafePay is known for both encrypting systems and stealing data, so if ransom demands aren’t met, it’s likely Ingram Micro will show up on SafePay’s data leak site in the coming days or weeks.

“Over the last couple of months, SafePay has stolen an average of 111 gigabytes of data from each victim, which can lead to significant breaches,” added Moody. “A prime example is Marlboro-Chesterfield Pathology, P.C., which was targeted by SafePay in January 2025, with the group allegedly stealing 30 gigabytes of data. The healthcare company subsequently issued data breach notifications to nearly 236,000 people.”

Photo: Ingram Micro