Ransomware’s Rising Stars: Inside the SafePay Attack That Crippled Ingram Micro

In the early hours of July 4th, while much of the U.S. celebrated Independence Day, threat actors launched a cyberstrike that effectively paralyzed one of the world’s largest IT distributors. Ingram Micro, a $50 billion global technology heavyweight, was hit with a ransomware attack that has since disrupted internal systems, taken down online ordering portals, and put the company’s AI-driven logistics platforms on ice.

BleepingComputer first reported the incident, attributing the breach to a relatively new player in the ransomware ecosystem: SafePay. The group has been gaining traction in 2025 with swift, surgical attacks that leverage VPN vulnerabilities and compromised credentials. Ingram Micro’s internal communications initially downplayed the issue as “IT system outages.” But over the weekend, the company formally confirmed it was dealing with a ransomware attack.

“Ingram Micro recently identified ransomware on certain of its internal systems,” the company said in a July 6th statement. “Promptly after learning of the issue, the Company took steps to secure the relevant environment... and notified law enforcement.”

VPNs: A Gateway for Modern Threats

Though full details remain under wraps, sources suggest SafePay may have infiltrated Ingram Micro’s network via the company’s GlobalProtect VPN gateway—developed by cybersecurity giant Palo Alto Networks. That possibility prompted a response from Palo Alto itself.

“At Palo Alto Networks, the security of our customers is our top priority,” the company said in a statement. “We are currently investigating these claims. Threat actors routinely attempt to exploit stolen credentials or network misconfigurations to gain access through VPN gateways.”

The implication is familiar but chilling: even the most trusted enterprise infrastructure is now a frequent target—and sometimes a weak point—for modern cybercriminals.

The Rise of SafePay

SafePay first surfaced in late 2024 but has since racked up more than 220 known victims, including a dramatic takedown of UK-based Microlise earlier this year. That attack saw 1.2 terabytes of data allegedly stolen and a ransom demand issued in less than 24 hours. The group’s calling card: speed, stealth, and an ability to exploit misconfigured access controls and outdated authentication systems.

“With the toppling of LockBit and ALPHV, this has opened up 'opportunities' for upstart ransomware groups like SafePay,” said Chris Hauk, Consumer Privacy Champion at Pixel Privacy. “The reports I've seen indicate the group moves quickly, with fast encryption times, seeing attacks typically move from system breach to deployment in less than 24 hours.”

Hauk emphasizes that prevention must begin at the perimeter. “Organizations can protect against SafePay and similar types of ransomware attacks by placing strict access controls on their systems, strong authentication like multi-factor authentication, monitoring for newly discovered vulnerabilities, and implementing secure VPN connections to provide remote access.”

Identity Security: The First Line of Defense

While some of Ingram Micro’s services—such as Microsoft 365 and Teams—remain operational, core platforms like its Xvantage distribution and Impulse licensing services have gone dark. For partners and resellers reliant on these systems, the disruption is more than a blip; it’s a business continuity crisis.

Jim Routh, Chief Trust Officer at Saviynt, sees a clear lesson: “The attack on Ingram Micro allegedly by SafePay is another example of the preference for threat actors to use compromised credentials to penetrate proprietary systems... Enterprises have an opportunity to improve their identity security capabilities to resist these types of attacks in the future.”

The Bigger Picture

Ingram Micro’s incident is a stark reminder of how quickly the ransomware landscape evolves. As law enforcement closes in on established syndicates, a vacuum is created—and it doesn’t stay empty for long. Upstart groups like SafePay are stepping in with new tactics and faster playbooks.

The question now isn’t whether enterprises can prevent every attack. It’s whether they can adapt quickly enough to respond before access becomes encryption—and before encryption becomes extortion.