How Ingram Micro Overcame a Major Ransomware Attack

Global IT distributor Ingram Micro was forced to shut down its primary systems in July 2025 due to a ransomware attack. Ingram Micro was unable to process orders and assist customers worldwide as a result of the incident, which was later connected to the SafePay ransomware group. The business spent the following few days trying to contain the ransomware, look into the matter, and gradually resume operations. In order to determine what lessons we can learn from the incident, this article will focus on the timeline of the event, the attack’s course, the consequences, and the reactions of the public.

• July 3, 2025. Early in the morning, employees saw pop-ups on their computers that looked like ransom notes. This meant that a ransomware attack had happened. Ingram Micro’s main systems began to fail around 8:00 AM ET. Later in the day, customers from all over the world found that the company’s websites and ordering systems weren’t working.
• July 4, 2025. Ingram Micro shut down more systems and told employees to work from home before the U.S. holiday weekend to help contain the threat.
• July 5, 2025. In a public statement (via an SEC Form 8-K press release), the company said that ransomware had been found on some of its internal systems. Ingram Micro said that it had taken systems offline and started an investigation led by experts. It also apologised to customers and partners for the inconvenience.
• July 6, 2025. Reports in the media confirmed that the SafePay ransomware gang was behind the attack and that the cybercriminals probably got into Ingram’s network through its GlobalProtect VPN platform using leaked credentials. This is the day that Reuters and other news outlets started to report on the event.
• July 7–8, 2025. There was some progress in recovering service. Ingram Micro put its website back up and started bringing back some order processing functions in stages. Ordering and licensing systems were still down during the investigation, though. On July 8, the company said that the problem was under control and that the impacted systems were being safely brought back online.
• July 9, 2025. Ingram Micro said that operations were back to normal all over the world, and order processing was back to normal in all regions. Customers could once again place orders online, over the phone, or by email. The company thanked everyone for their patience while they got back to normal.

The SafePay ransomware group was behind the ransomware attack that caused Ingram Micro’s problems. SafePay, a new group of threat actors that first came to light at the end of 2024, had already attacked more than 220 people. The attackers usually get into corporate networks through VPN gateways by using leaked credentials and password-spraying attacks. Sources say that the attackers in the case of Ingram Micro first got in through the company’s GlobalProtect VPN platform. It’s likely that they did this by using insecure or stolen credentials instead of a software vulnerability.

Once inside, the ransomware operators deployed ransomware that left digital ransom notes on employee systems and triggered outages. It’s reported that employees suddenly saw ransom note messages on their screens on July 3, which was the first obvious sign of the attack. To prevent the malware from spreading further, Ingram Micro proactively shut down certain systems as soon as the attack was detected. This included taking their GlobalProtect VPN itself offline, as well as disconnecting the company’s flagship Xvantage digital platform and its Impulse cloud license provisioning system. These actions, while disruptive, were intended to contain the ransomware’s reach and protect other parts of the network.

Ingram Micro’s business had a lot of problems because of the ransomware attack. The company couldn’t process or ship customer orders for days because of a multi-day IT outage that took down important business platforms. Customers and reseller partners from all over the world had to wait longer because online portals weren’t working and orders couldn’t be processed through normal automated channels. Ingram Micro was disconnected from its vendors and clients, creating a ripple of disruption across the supply chain. Distribution experts noted that with fulfillment systems offline, enterprise buyers faced order backlogs and uncertainty on shipments, while manufacturers and resellers lost visibility into demand and had to scramble to meet needs.

Beyond the logistical delays, there were concerns about data exposure. SafePay’s ransom note generically claimed to have stolen a variety of information, but as of early July there was no public evidence yet of any sensitive Ingram Micro data (like customer, vendor, or employee records) being leaked or sold. The company stated that its investigation into the scope of the incident and any affected data was ongoing. It’s also useful to note at this point that backup plans protected a few downstream clients from the immediate consequences. For instance, in order to maintain the flow of vital supplies during Ingram’s system outage, numerous resellers turned to backup inventory or other distributors.

Ingram Micro reacted to the attack by communicating openly and attempting to contain it quickly. The business implemented its incident response plan after finding the ransomware on its internal systems, which included shutting down the impacted servers, isolating networks, and hiring outside cybersecurity specialists to conduct an investigation. Because of the seriousness of the breach, law enforcement agencies were also alerted early on. This prompt action likely stopped additional harm and prepared the ground for a planned recovery.

The company prioritized transparency by issuing regular public updates on a dedicated status webpage and also through direct emails to partners. In these updates, Ingram Micro acknowledged service outages and provided workarounds, for instance, advising customers to submit orders via phone or email while online systems were down. They also set up clear escalation channels for urgent issues and an FAQ resource to help stakeholders through the disruption.

Meanwhile, technical teams worked around the clock to remediate and restore the IT environment. By July 8, Ingram Micro announced that the ransomware was contained and infected systems had been cleaned and patched. The company brought systems back online in a phased, and layered approach, testing and monitoring each part of the network for any lingering threats. Extra security measures were put in place during the restoration process. These included better monitoring to quickly spot any unusual activity as operations started up again. 

Thanks to these efforts, Ingram Micro achieved a relatively quick recovery: within about a week of the attack, they had fully restored global operations. On July 9, the distributor proudly reported that all of its business regions were operational again, and normal order processing (via electronic systems as well as manual channels) had been re-established. The company also expressed gratitude for customers’ patience and support from industry colleagues during the crisis.

Ingram Micro’s story shows that even the biggest, most tech-savvy companies can be hit by ransomware. The real costs are days of downtime, lost productivity, and damage to the company’s reputation. This means that the best way to deal with ransomware is to stop it before it actually happens.

BlackFog’s innovative approach has been designed to do exactly that. BlackFog’s ADX technology stops attackers in their tracks by blocking data exfiltration in real-time, without the need for human intervention.

Our anti data exfiltration (ADX) technology watches all endpoints for signs of data theft or ransomware activity and stops threats like SafePay before they can spread or do damage.

Get in touch with us to find out how our state-of-the-art ransomware prevention platform can keep your business safe, or ask for a demo to see how our solution works.