In the evolving landscape of cybercrime, a ransomware group named SafePay has gained notoriety following a significant attack on IT distributor Ingram Micro, which has rendered the company offline for over four days. The group’s demands are clear: Ingram Micro must pay a ransom within seven days, asserting that monetary gain is their sole motivation.
At present, Ingram Micro’s website displays a brief message indicating a cyber incident, leaving customers and stakeholders in a state of uncertainty. This marks a troubling situation for the company, as their operational disruption not only impacts their reputation but also affects managed service providers (MSPs) globally reliant on their systems for software and hardware access.
SafePay distinguishes itself from other ransomware groups by opting for a closed system rather than the common Ransomware-as-a-Service (RaaS) model. This innovative approach allows them to maintain control over the deployment of their ransomware, a strategy that contrasts with well-known groups like Conti and LockBit, which previously dominated the landscape. Reports indicate that SafePay executed 70 attacks in May 2025, making up 18 percent of the overall compromises noted, highlighting their significant and rapid emergence in the field.
Interestingly, the group is believed to consist of former members from notable ransomware factions like LockBit and BlackCat, indicating a shift in the cybercrime game as these individuals form new collectives. Notably, SafePay exempts unintended victims based on language settings, further complicating the landscape of their operations.
Ingram Micro has faced backlash for its inadequate communication during the outage, as clients express frustration over the lack of updates. The group’s strategy reportedly hinged on exploiting vulnerabilities within Ingram Micro’s IT network, including access through the company’s VPN, GlobalProtect.
The critical question remains: will Ingram Micro pay the ransom? Even if they do, there are no assurances regarding the safety of their data post-payment, especially given the track record of ransom payouts not guaranteeing data recovery.
As cyber threats persist, this incident underscores the critical need for businesses to enhance their cybersecurity measures and maintain clear communication with stakeholders during crises. The ongoing situation represents both a challenge and an opportunity for Ingram Micro to reinforce its reputation by emerging resilient in the face of adversity.