Ingram Micro investigating ransomware attack

Ingram Micro said Saturday that it is investigating a ransomware attack after discovering suspicious activity on its internal network. 

The Irvine, Calif.-based technology firm said it proactively took certain systems offline, notified law enforcement and retained outside forensic experts to help with the investigation. 

The company said it is working diligently to restore normal operations following the attack, which has affected its ability to process and ship orders.

The SafePay ransomware group has reportedly claimed credit for the attack. 

Researchers have seen an uptick in activity from SafePay since May, according to Jamie Levy, director of adversary tactics at Huntress.

The hacker group, first discovered in October 2024, has breached targeted companies using internet-exposed Remote Desktop Protocol as well as targeted virtual private networks.  

SafePay has been among the most active of all ransomware gangs, with 18% of attacks being linked to the group, according to Matt Hull, global head of threat intelligence at NCC. 

The group has been active since at least November 2024 and is believed to be a rebrand of other top ransomware gangs, possibly including LockBit, AlphV or INC. 

NCC recently responded to an attack linked to SafePay that involved the hackers gaining initial access through a misconfigured firewall and bypassing multifactor authentication, according to a March report. The hackers also used ScreenConnect to gain persistence inside of a network, according to NCC. 

Ingram Micro has not disclosed any details about how the attackers gained access to its systems. The company also has not estimated the hack’s financial impact. It reported net sales of $12.3 billion on non-GAAP earnings of $144 million, or 61 cents a share, during the fiscal first quarter.

The company’s latest forecast calls for net sales of $11.7 billion to $12.2 billion in the fiscal second quarter, on earnings between 53 cents to 63 cents a share.