Ingram Micro Ransomware Breach
BLUF
Ingram Micro was targeted by the SafePay ransomware group on July 2, 2025, resulting in a week-long global outage of critical ordering and distribution platforms. The attackers exfiltrated approximately 3.5 TB of sensitive data, including Social Security numbers and government IDs, which were leaked in August 2025 following failed negotiations.
Executive Cost Summary
This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.
For organizations affected by double-extortion ransomware targeting core operational platforms and sensitive customer data:
· Low-end total cost: $30M – $45M
o (Limited outage duration, strong backups, partial data exposure)
· Typical expected range: $55M – $90M
o (Multi-day platform outage, confirmed data exfiltration, regulatory action)
· Upper-bound realistic scenarios: $100M – $140M
o (Extended global disruption, litigation escalation, constrained insurance recovery)
Key Cost Drivers
· Duration of outage affecting revenue-generating platforms
· Volume and sensitivity of exfiltrated personal data
· Speed and quality of incident containment and disclosure
· Insurance sublimits, exclusions, and retention levels
· Regulatory jurisdictional reach and litigation intensity
Targeted Sectors
· Information Technology (Distribution)
· Healthcare
· Education
· Government
· Finance.
Targeted Countries
· Global operations
Date of First Reported Activity
· July 2, 2025 (Initial intrusion)
Date of Last Reported Activity Update
· January 19, 2026 (Disclosure of exact victim count and Maine filing).
APT Group Names
· Not applicable
Criminal Organizations
· SafePay
o SafePlay
Tools Used
· Palo Alto GlobalProtect VPN (for entry)
· RDP
· PowerShell
· regsvr32.exe
· Token impersonation tools
TTPs
Initial Access
· T1078 Valid Accounts
o Attackers gained initial entry using compromised credentials.
· T1133 External Remote Services
o The breach originated through the company's GlobalProtect VPN platform.
· T1110 Brute Force
o Threat actors likely utilized password-spraying or brute-force methods to obtain the necessary VPN credentials.
Execution and Persistence
· T1486 Data Encrypted for Impact
o The group deployed ransomware payloads that encrypted core platforms, including the Xvantage and Impulse systems.
· T1204.002 User Execution (Malicious File)
o In accordance with SafePay's known methods, the group likely used a modified version of LockBit code for the encryption phase.
Lateral Movement
· T1021.001 Remote Desktop Protocol
o SafePay typically moves laterally through internal networks using RDP or similar remote access points.
· T1080 Taint Shared Content
o Attackers exploited trust between connected servers and users to navigate the internal environment.
Exfiltration and Impact
· T1041 Exfiltration Over C2 Channel
o Approximately 3.5 terabytes of data were exfiltrated before the ransomware was triggered.
· T1657 Financial Theft
o The group engaged in "double-extortion," threatening to leak sensitive financial and customer data unless a ransom was paid.
· T1489 Service Stop
o Ingram Micro was forced to proactively shut down internal systems and global ordering platforms to contain the spread.
Malware Name
SafePay Ransomware
SHA256
3b979d2231d2a8245afcc5a5c06659419eb38b6680c75537233795839473c2a3
Malware Family
· SafePay / SafePlay
Verdict
Malicious (Ransomware)
Primary Objectives
· Data exfiltration and file encryption for double extortion.
Threat Actor Context
· Active since late 2024; specializes in exploiting network misconfigurations and VPN gateways.
Behavior Analysis
· Identifies and terminates security processes
· Encrypts local and network drives
· Drops a ransom note (typically SafePay_Instructions.txt).
Suspected CVEs associated with attack
CVE-2024-3400
Palo Alto GlobalProtect OS command injection
CVSS v3.1
· CVSS 3.1 (10.0) 1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Nessus ID
· 114282
· 193255
Is CVE-2024-3400 on the KEV list?
· Yes
What was the patch by date for CVE-2024-3400?
· April 12, 2024
URL to patch information
· hxxps://security.paloaltonetworks.com/CVE-2024-3400
CVE-2023-42793
TeamCity RCE often used by related actors
CVSS v3.1
· CVSS 3.1 (9.8) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Nessus ID
· 182690
· 181926
Is CVE-2023-42793 on the KEV list?
· Yes
What was the patch by date for CVE-2023-42793?
· October 25, 2023
URL to patch information
· hxxps://www.jetbrains.com/privacy-security/issues-fixed/
Suggested Rules / potential hunts
As a reminder, these are indicator rules. They are likely to be noisy.
For best results consider creating a data model and reviewing the traffic as a report.
Suricata
VPN Vulnerability Exploitation (GlobalProtect)
alert tcp $EXTERNAL_NET any -> $HOME_NET [443,10443] (msg:"ET EXPLOIT Possible Palo Alto GlobalProtect Remote Code Execution Attempt"; flow:established,to_server; content:"/global-protect/login.esp"; http_uri; threshold:type limit, track by_src, count 1, seconds 60; classtype:web-application-attack; sid:2026001; rev:1;)
Data Exfiltration to Mega.nz (Common SafePay tool)
alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query for Mega.nz (Possible Exfiltration)"; dns_query; content:"mega.nz"; nocase; classtype:policy-violation; sid:2026002; rev:1;)
SentinelOne
Hunt for Suspicious Lateral Movement via RDP
EventType = "Logon" AND LogonType = "10" AND (SrcIp != "Trusted_VPN_Range")
Purpose: Identifies RDP sessions from unexpected internal or external source IPs.
Detect WinRAR/FileZilla Usage for Exfiltration
ProcessName In ( "winrar.exe", "filezilla.exe", "rclone.exe" ) AND ( CommandLine Contains ".zip" OR CommandLine Contains ".7z" OR CommandLine Contains "copy" )
Purpose: SafePay often uses these tools to stage and exfiltrate data before encryption.
Identify Ransomware Execution Indicators
ProcessName = "safepay.exe" OR ( CommandLine Contains "vssadmin.exe delete shadows /all /quiet" )
Purpose: Standard ransomware behavior of deleting Volume Shadow Copies to prevent recovery.
Splunk
Detect VPN Credential Stuffing/Brute Force:
index=vpn_logs action=failure | stats count by user, src_ip | where count > 20 | table user, src_ip, count
Hunt for Large Data Outbound Spikes (Data Theft)
index=network_logs | eval total_mb = (bytes_out/1024/1024) | stats sum(total_mb) as total_data_exf by src_ip, dest_ip | where total_data_exf > 500 | sort - total_data_exf
Purpose: Flags any source IP sending massive amounts of data (consistent with the 3.5 TB theft).
Monitor for Unauthorized VPN Account Reactivation:
index=active_directory EventCode=4722 OR EventCode=4738 | search "VPN_Service_Account"
Purpose: SafePay may reactivate dormant accounts or create new administrative users for persistence.
Delivery Method
· Compromised VPN credentials (primary) and potential spear-phishing for initial credential harvesting.
Email Sample
· Generic "Security Update Required" or "Account Verification" lures targeting employees to harvest GlobalProtect credentials.
References
Security Affairs
· hxxps://securityaffairs.com/187083/data-breach/ransomware-attack-on-ingram-micro-impacts-42000-individuals.html
Admin Request
· hxxps://www.adminbyrequest.com/en/blogs/safepay-ransomware-cripples-global-it-distributor-ingram-micro
VirusTotal
· hxxps://www.virustotal.com/gui/file/3b979d2231d2a8245afcc5a5c06659419eb38b6680c75537233795839473c2a3
NVD
· hxxps://nvd.nist.gov/vuln/detail/CVE-2024-3400
· hxxps://nvd.nist.gov/vuln/detail/CVE-2023-42793
Tenable
· hxxps://www.tenable.com/cve/CVE-2024-3400/plugins
· hxxps://www.tenable.com/cve/CVE-2023-42793/plugins
CISA KEV Catalog
· hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-3400
Security Palo Networks
· hxxps://security.paloaltonetworks.com/CVE-2024-3400
JetBrains
· hxxps://www.jetbrains.com/privacy-security/issues-fixed/
