SafePay ransomware threatens to leak 3.5TB of Ingram Micro data

The SafePay ransomware gang is threatening to leak 3.5TB of data belonging to IT giant Ingram Micro, allegedly stolen from the company’s compromised systems earlier this month.

Ingram Micro is one of the world’s largest business-to-business service providers and technology distributors, offering a wide range of solutions to resellers and managed service providers worldwide, including hardware, software, cloud services, logistics, and training.

While BleepingComputer first reported on July 5 that SafePay was behind this incident, the ransomware gang didn’t claim responsibility for the attack until earlier this week, when it added the tech giant to its dark web leak portal.

SafePay ransomware is a private operation that surfaced in September 2024 and has since added over 260 victims to its leak site; however, the actual number is likely larger, as only victims who don’t pay are listed.

They’re also known for stealing sensitive documents before encrypting victims’ systems and threatening to leak this stolen data on the dark web if a ransom is not paid.

Since the start of the year, SafePay has become one of the most active ransomware groups, filling the gap left by LockBit and BlackCat (ALPHV) ransomware.

As BleepingComputer reported earlier this month, Ingram Micro also suffered a global outage caused by the SafePay ransomware attack, with employees told to work from home and the company’s website and ordering systems taken offline.

Since then, BleepingComputer has learned that the company has been working on restoring VPN access to employees and has also performed a company-wide password and multi-factor authentication (MFA) reset.

Ingram Micro quickly recovered from the incident, restoring many of the internal systems and platforms impacted by the attack within days, allowing employees greater access to its ordering system.

“Ingram Micro is pleased to report that we are now operational across all countries and regions where we transact business. Our teams continue to perform at a swift pace to serve and support our customers and vendor partners,” Ingram Micro announced just four days after disclosing the attack.

However, the company has yet to confirm that SafePay ransomware was behind the breach and whether the attackers stole data from its compromised systems.

An Ingram Micro spokesperson was not immediately available for comment when BleepingComputer reached out for more information earlier today.