How the SafePay Ransomware Disrupted a Major Global IT Supplier
Hook
The July 2025 SafePay ransomware attack on Ingram Micro reinforces a stark reality: third-party suppliers remain prime targets with ripple effects across the tech industry.
Timeline & Attack Vector
- The attack began early July 3 and was identified by July 5.
- Attackers leveraged compromised credentials via GlobalProtect VPN in a password-spraying campaign.
Technical Details & Damage Control
- SafePay is known for double extortion—combining encryption with threats of data exposure.
- Ingram Micro took rapid mitigation steps: disconnecting systems, involving forensic teams, and notifying law enforcement.
Restoration Strategy
- Restoration began July 7: subscription orders processed via support teams across multiple countries.
- Full global recovery—covering EDI, web, email, and phone channels—complete by July 10.
Key Takeaways
- Secure VPNs with MFA and strict credential hygiene to prevent credential misuse.
- Run tabletop exercises with partners, ensuring clarity in communication and switchover procedures.
- Plan for third-party disruptions in your risk management strategy—supply chain attacks are escalating in scale.