Thought Leadership
The IT distributor Ingram Micro has been struggling with outages since Thursday – attackers are said to have penetrated via VPN gateway.
IT wholesaler Ingram Micro has been struggling with a widespread system outage since Thursday, which, according to information from BleepingComputer , is due to an attack with SafePay ransomware. The company, which is one of the world’s largest B2B technology distributors and sells hardware, software and cloud services to resellers and IT service providers as an intermediary, had to shut down its internal systems as a result.
Ransomware notes discovered on employee devices
Ingram Micro’s website and online ordering systems have been unavailable since early Thursday morning. Initially, the company had not communicated the cause of the problems. As BleepingComputer now reports, employees suddenly discovered ransomware on their workstations.
The ransom message comes from the SafePay ransomware group, which has become one of the most active operations in 2025. Since its first appearance in November 2024, the group has already claimed over 220 victims. It is not yet clear whether data has actually been encrypted.
Suspected attack via VPN gateway
According to BleepingComputer, initial findings indicate that the attackers infiltrated the company network via Ingram Micro’s GlobalProtect VPN platform. This method of attack corresponds to the known approach of the SafePay group, which has already targeted VPN gateways with compromised access data and password spray attacks in the past.
After the attack was discovered, employees at some locations were instructed to work from home. As a preventive measure, the company shut down internal systems and prohibited the use of the GlobalProtect VPN connection.
Central distribution platforms affected
Particularly affected are the company’s AI-powered Xvantage distribution platform and Impulse licensing platform, BleepingComputer has learned from insiders. These systems are central to Ingram Micro’s business operations, as they are used to process orders and deliveries from partner companies. Other internal services such as Microsoft 365, Teams and SharePoint will continue to function.
Company confirms incident
Initially, Ingram Micro did not classify the incident as a cyberattack, either publicly or to its employees, and only spoke of “ongoing IT problems”. On Sunday morning, the company then confirmed the ransomware attack:
“Ingram Micro recently identified ransomware in some of its internal systems,” the statement reads. “Immediately upon becoming aware of the issue, the company took steps to secure the affected environment, including proactively shutting down certain systems and implementing other mitigation measures.”
The company is working intensively to restore the affected systems so that orders can be processed and shipped. The company apologizes for any disruption caused to customers, sales partners and others.
Ingram Micro said it has launched an investigation with leading cybersecurity experts and informed law enforcement authorities.
