How the SafePay Ransomware Crippled Ingram Micro’s Global Operations

On July 4, 2025, Ingram Micro experienced a major system outage after a SafePay ransomware group infiltrated its network via GlobalProtect VPN, stealing nearly 1 TB of confidential files—including finance, legal, customer, and transaction data—and encrypting critical systems.

Ingram Micro, founded in 1979 and headquartered in California, operates in more than 160 countries and runs 189 global logistics centers, providing fast delivery, reverse logistics, cloud solutions (AWS, Azure) and e‑commerce technology support.

The attack caused a 48‑hour disruption of the IT operations platform, online procurement system, and corporate website. In response, the company isolated infected servers, switched to manual processes for key orders, and engaged security firms such as Mandiant and CrowdStrike for investigation and remediation, while issuing regular updates via email and its portal.

The outage delayed hardware and cloud service delivery, affecting managed service providers and end‑enterprise customers, and the potential exposure of financial and source‑code data could trigger compliance issues across multiple jurisdictions.

SafePay, a ransomware group first observed in November 2024, became the most active ransomware organization by May 2025, launching 70 attacks in a single month and accounting for 18% of global ransomware activity.