Ransomware gang sets deadline to leak huge cache of stolen Ingram Micro data
SafePay adds Ingram Micro to its data leak site

- Ingram Micro confirmed suffering a ransomware attack in July 2025
- It has been revealed this was the work of the SafePay group
- The threat actors have added Ingram Micro to its data leak site
Ingram Micro has been added to SafePay’s data leak site, meaning the countdown is on before terabytes of data are leaked on the dark web.
The company suffered a ransomware attack in July 2025 which forced it to shut down parts of its infrastructure. As a result, its business operations were disrupted, and some of its employees were sent to work from home.
The company managed to restore its services rather fast, but the miscreants made away with 3.5TB of sensitive data - which they are now threatening to release unless they are paid.
Terabytes of sensitive files
At the time of the attack, the company did not say who the threat actors were, but BleepingComputer has now uncovered the attack was the work of SafePay, a relatively young ransomware operation that emerged between September and November, 2024.
This group engages in the usual double-extortion tactics (encryption + data theft), and claims to have breached more than 200 organizations across different industries such as manufacturing, healthcare, or education.
At the time of the attack it was also said SafePay broke through the company’s GlobalProtect VPN platform, and left ransom notes on employee devices.
Among the systems impacted by the breach was Ingram Micro’s AI-powered Xvantage distribution platform, and the Impulse license provisioning platform.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Should SafePay leak Ingram Micro’s data, it could send ripples throughout the business world, since it is one of the biggest B2B service providers and technology distributors around, servicing more than 160,000 customers globally, including giants such as Apple, HP, and Cisco.
You might also like
- Top ransomware group BlackSuit has dark web extortion sites seized and shut down
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.