Ingram Micro Confirms Ransomware Attack on Internal Systems

Key Takeaways:

  • Ingram Micro has identified ransomware on certain internal systems as of July 5, 2025.
  • The company took immediate action, bringing impacted systems offline and launching a forensic investigation.
  • No customer-facing systems have been confirmed as affected at this time.
  • A ransomware group calling itself SafePay has reportedly claimed responsibility.
  • Law enforcement and third-party cybersecurity experts are involved in the ongoing response.

Update July 8, 2025 with enlarged quote from SonicWall’s Douglas Mckee: Ingram Micro, one of the world’s largest IT distribution and logistics companies, confirmed over the weekend that it experienced a ransomware attack affecting parts of its internal infrastructure. Ingram has been a crucial name in the distribution business since the1990s, when we used terms like VAR (value added reseller) and VAD (value added dealer) instead of the more commonplace managed service provider (MSP), today. Back in the 1990s, these VARs and VADs made the bulk of their revenue from hardware margins but over the years this revenue has migrated to recurring services – thus the evolution of VAR to managed service provider. Ingram disclosed that it had discovered unauthorized activity involving ransomware on certain internal systems on July 5, 2025.

This is obviously an important attack vector for hackers as the company now sells to thousands of MSPs – who themselves are a large supply chain attack vector for hackers. All in, Ingram has around 161,000 customers and over 1,500 vendors.

In response to the incident, Ingram Micro said it promptly took affected systems offline to contain the threat and prevent further compromise. The company has engaged a team of third-party cybersecurity specialists to lead the forensic investigation and is coordinating with law enforcement to determine the origin and scope of the attack.

Although specific details remain limited, early reporting suggests the threat actor group SafePay may be behind the attack. SafePay has claimed responsibility via underground forums, alleging it used a vulnerability in Ingram Micro’s VPN infrastructure to gain access to internal networks. The group has also claimed to have extracted financial data, intellectual property, and some customer-related records, though these claims have not been independently verified.

Douglas McKee, Executive Director of Threat Research at SonicWall.

At this stage, Ingram Micro has not confirmed any breach of customer-facing systems or public cloud services. Its core logistics, channel services, and partner platforms appear to be operational, though some delays or processing issues may affect order fulfillment in the short term.

The Ingram Micro ransomware incident underscores a critical inflection point: adversaries are increasingly targeting third‑party distributors to exploit the supply chain ripple effect. This isn’t just about silenced servers—it’s a strategic escalation. Organizations must stop viewing these distributors as peripheral and instead harden them as critical infrastructure. From segmented networks to zero‑trust VPN access and continuous validation of MSP channels, we need to build resilience upstream, not just downstream. And that starts with embedded product security testing—proactively validating the software and systems in your stack before attackers get the chance.

Douglas McKee, Executive Director of Threat Research at SonicWall.

The company issued a statement reassuring partners and customers that it is working swiftly to assess the full scope of the incident. “We are taking this matter seriously and working diligently with experts to restore systems safely and ensure the integrity of our infrastructure,” the company said. It also apologized for any inconvenience the disruption may cause and pledged transparency as the investigation continues.

Ransomware incidents targeting IT infrastructure providers have increased in frequency and complexity, often affecting not just the immediate victim but downstream organizations. As a critical link in the technology supply chain, any disruption at Ingram Micro could ripple out to resellers, OEMs, and managed service providers who rely on the company’s platform for product distribution and order management.

Security experts caution that while taking systems offline is a necessary containment step, it can sometimes delay operational recovery if not accompanied by fast and accurate incident triage. For Ingram Micro, which processes tens of thousands of hardware and software transactions globally each day, the priority will be restoring trust and uptime without compromising security.

The FBI and other relevant cybercrime authorities are reportedly involved in the investigation. If SafePay’s claims are substantiated, this could join a growing list of high-profile attacks in 2025 where ransomware gangs targeted global IT service providers. Industry watchers are also monitoring whether any regulatory disclosures or customer notifications will follow, depending on the data exposed.

For now, the company’s main message is one of active containment. Its official communications indicate that internal and external systems are being reviewed, and updates will be provided as more facts come to light.

This incident underscores the persistent threat ransomware poses to critical technology providers—and how operational disruptions can extend far beyond the initial target. Vendors and partners working with Ingram Micro may wish to review their own business continuity plans and assess any dependencies that could be impacted.

Learn how AI Agents can supercharge your company’s profits and productivity at TMC’s AI Agent Event, Sept 29-30, 2025 in DC.

If you liked this post, you’ll love one of the the leading global business communications and technology events since 1999, the ITEXPO #TECHSUPERSHOW, Feb 10-12, 2026 Fort Lauderdale, Florida.

Don’t forget the collocated MSP Expo – just for managed service providers!

Aside from his role as CEO of TMC and chairman of ITEXPO #TECHSUPERSHOW Feb 10-12, 2026, Rich Tehrani is CEO of RT Advisors and a Registered Representative (investment banker) with and offering securities through Four Points Capital Partners LLC (Four Points) (Member FINRA/SIPC). He handles capital/debt raises as well as M&A. RT Advisors is not owned by Four Points.

The above is not an endorsement or recommendation to buy/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.

The views and opinions expressed above are those of the participants. While believed to be reliable, the information has not been independently verified for accuracy. Any broad, general statements made herein are provided for context only and should not be construed as exhaustive or universally applicable.

Portions of this article may have been developed with the assistance of artificial intelligence, which may have contributed to ideation, content generation, factual review, or editing

Related Articles

Loader..

 

Share via
Facebook
X (Twitter)
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap