Giant IT services distributor Ingram Micro appears to be the latest victim of SafePay, a fast-rising ransomware group that surfaced in 2024 and has been highly active in the months since.
Ingram Micro’s website and online ordering systems went down on July 3, affecting their business in the United States, Europe, and Asia. Two days later, the company issued a
statement saying it had “recently identified ransomware on certain of its internal systems.” While the company has restored its website, a banner at the top of each page states, “Ingram Micro is currently experiencing a cybersecurity incident”, and offers a link to the company's official statement.
The Irvine, California-based company did not attribute the attack to a particular bad actor, but the SafePay group has claimed responsibility and the
ransom note seen by BleepingComputer displayed the hallmarks of the notes left by SafePlay with other victims.
It read in part, “Greetings! Your corporate network was attacked by Safepay team. You IT specialists made a number of mistakes setting up the security of your corporate network, so we were able to spend quite a long period of time in it and compromise you.”
Stolen Data, Double-Extortion
The group, known for double-extortion attacks that combine file encryption with data theft and extortion threats, claims to have stolen a wide range of sensitive information. This includes financial statements, intellectual property, accounting records, legal documents, personnel and customer files, and bank account details, all used to pressure victims into paying.
SafePay also details how Ingram Micro executives can contact the group.
The company, which has more than 23,000 employees in 57 countries and saw first-quarter sales reach
more than $12.28 million has stated that it took a number of steps after learning of the issue, including taking some systems offline and implementing other mitigation initiatives. It also brought in "leading cybersecurity experts” to help investigate the breach and notified law enforcement agencies.
In Through the VPN
BleepingComputer, citing unnamed sources, reported that the attackers gained access to Ingram Micro’s corporate network via its GlobalProtect VPN platform, an entry point consistent with SafePay’s known tactics.
“SafePay ransomware operators are reported to gain initial access via victim endpoints through a VPN gateway using valid credentials, likely obtained through stealware or purchasing from dark web markets,” researchers with cybersecurity firm Quorum Cyber
wrote in a report earlier this year. “The group highly likely also conducts attacks via the exploitation of VPN vulnerabilities, however, known confirmed vulnerabilities are known at this time.”
An Aggressive Ransomware Group
The group surfaced in September 2024 and has since accelerated its efforts, according to cybersecurity experts. Quorum Security researchers noted that in March, it was the fourth most active ransomware group, posting 43 confirmed victims to its data leak site, targeting the public and private sectors worldwide while focusing most of its efforts on organizations in the United States, the UK, and Germany.
Attacks against U.S. and German organizations often come in large waves, with more than 10 attacks a day, they wrote. It has attacked organizations in a range of sectors, including health care, education, IT, finance, and government.
In a
report in November 2024, threat analysts with cybersecurity vendor Huntress who investigated two security incidents by the then-nascent ransomware group noted that “the threat actor’s activity was found to originate from a VPN gateway or portal, as all observed IP addresses assigned to threat actor workstations were within the internal range.”
SafePay used valid credentials to access customer endpoints and didn’t enable Remote Desktop Protocol (RDP), create new user accounts, or do anything else to create persistence, they wrote. In addition, in both attacks, the ransom notes began with “Greetings! Your corporate network was attacked by SafePay team.”
Law enforcement actions against high-profile ransomware operations like LockBit and ALPHV – also known as BlackCat – have made room for new players, including SafePay, according to Chris Hauk, consumer privacy champion at Pixel Privacy.
“The group first gained fame with an early high-profile SafePay ransomware attack on UK telematics business Microlise, with SafePay claiming to have stolen 1.2 terabytes of data and demanding payment in less than 24 hours,” Hauk said. “The reports I've seen indicate the group moves quickly, with fast encryption times, seeing attacks typically move from system breach to deployment in less than 24 hours.”
Number One in May
Since its initial attacks, SafePay has only increased its activities. According to security vendor Cyble, SafePay was the most active ransomware group in May,
claiming 58 victims and bringing the total number of victims on its list to 198 through May.
The threat group claims it isn’t a ransomware-as-a-service (RaaS) operation, the Cyble researchers wrote.
