Shutter2U - stock.adobe.com

Ingram Micro ransomware attack contained and remediated

Distributor shares update on efforts made to recover from the attack that hit the business late last week

Ingram Micro has shared its progress in its recovery from last week’s ransomware attack, indicating the incident has been contained and remediated.

The distributor hit the headlines over the weekend after a cyber assault that took some of its systems offline.

Over the past couple of days, the firm has been working to restore ordering systems, and yesterday it revealed that as well as subscriptions, it can now receive and process orders for hardware and other technologies via phone or email in the US – although “some limitations may exist which will be clarified as orders are placed”.

That has been followed up with an update indicating the issues have been sorted, with the channel player working with third-party experts to get back to normal.

“Ingram Micro has been working diligently with leading third-party cyber security experts to investigate and remediate the cyber security incident announced on 5 July 2025, including proactively taking certain systems offline and implementing other mitigation measures,” the firm stated.

“Based on these measures and the assistance of third-party cyber security experts, we believe the unauthorised access to our systems in connection with the incident is contained and the affected systems remediated,” Ingram added. “Our investigation into the scope of the incident and affected data is ongoing.

“Our team has been working around the clock on this matter to restore affected systems. We have implemented additional safeguards and monitoring measures to protect our network environment as we bring our systems back online.”

Statement

The distributor was hit by a ransomware attack late last week, with the business making a statement on Saturday to update customers that had noticed systems were impacted.

According to reports in BleepingComputer, the attack was carried out by a SafePay ransomware group, which has been particularly active this year.

The group claimed it had been able to exploit some gaps in the distributor’s systems to launch its attack. The note added that it was not a political attack, but one motivated by money.

Businesses targeted

Rebecca Moody, head of data research at Comparitech, said SafePay was an active group that targeted businesses with ransomware attacks. “SafePay is renowned for both encrypting systems and stealing data, so if ransom demands aren’t met, it’s likely we’ll see Ingram Micro popping up on SafePay’s data leak site in the coming days/weeks,” she said.

“Over the last couple of months, SafePay has stolen an average of 111GB of data from each victim, which can lead to significant breaches. To date, we’ve tracked 238 attacks via SafePay, with 32 of these being confirmed by the entity involved.”

Moody said there had been other tech firms on both sides of the Atlantic that had been recent victims of SafePay.

Speaking at the recent Working Together for Channel Success event, Robin Ody​, principal analyst at Canalys, now part of Omdia, said channel businesses were key targets for criminals.

“Partners have become the number one threat vector for customers, because a partner holds all the data,” he said. “And the more that they hold the managed services piece, the more that they hold the financial data and the more the MSPs have become the single threat vector for the channel.”

Read more on Data Protection Services