Ingram Micro Confirms Ransomware Attack After Outage

The confirmation follows growing speculation and leaked information pointing to a cyberattack. According to outside sources, employees first noticed the issue when ransom notes appeared on devices. The attackers have been identified as the SafePay ransomware group, one of the most active and disruptive ransomware operations in 2025.

The attackers left a ransom note claiming responsibility and reportedly gave Ingram Micro seven days to pay. Although these notes often use standard language, SafePay claims it exploited weak network security and gained extensive access before executing the attack.

Sources indicate the attackers may have breached the company through its GlobalProtect VPN. Employees were instructed not to use the VPN and, in some locations, to work from home.

In response to the breach, Ingram Micro immediately took affected systems offline and launched an investigation with support from third-party cybersecurity experts. The company also notified law enforcement.

Systems impacted include Ingram Micro’s Xvantage digital platform and its Impulse license provisioning system. However, services like Microsoft 365, Teams, and SharePoint reportedly remain accessible.

Fallout and uncertainty

As one of the largest global IT distributors, Ingram Micro’s role in the digital supply chain means this incident could affect a wide range of managed service providers (MSPs) and resellers. It remains unclear whether Ingram Micro intends to pay the ransom. Experts warn that even if a ransom is paid, recovery is not guaranteed. SafePay has not yet published any stolen data or confirmed whether files were encrypted during the breach.

The coming days will be critical as Ingram Micro continues its recovery efforts and investigates the full scope of the incident. For now, the company’s systems remain partially offline, and the long-term impact on its operations and reputation is still unfolding.