The IT giant Ingram Micro is experiencing an ongoing outage caused by a significant ransomware attack on its systems. Ingram Micro is one of the world’s largest business-to-business technology distributors and also a major service provider. Since last Thursday, Ingram Micro’s website and its online ordering systems have been down due to the attack. The California-based company confirmed it recently identified ransomware on certain of its internal information technology systems. The attack appears to have landed on Thursday, just ahead of the long Independence Day weekend in the US.
The ransom note found on devices is associated with the SafePay ransomware operation, a very active group. It is still unclear if devices were actually encrypted in the attack, despite the presence of the ransom notes. Sources have told BleepingComputer it is believed threat actors breached Ingram Micro through its GlobalProtect VPN platform. The SafePay ransomware gang is a relatively new operation that was first seen in November of the previous year. This ransomware operation has been previously observed breaching corporate networks through VPN gateways using compromised credentials.
Promptly after learning of the issue, the company took steps to secure the relevant IT environment.
This included proactively taking certain internal systems offline and implementing other important and necessary mitigation measures. Once the attack was discovered, employees in some locations were told to work from home for their safety. The company also launched an investigation with the assistance of leading third-party cybersecurity experts and notified law enforcement. Systems impacted in many locations include the company’s AI-powered Xvantage distribution platform and the Impulse license platform.
Ingram Micro is working diligently to restore all of the affected systems so that it can process orders.
The company wants to restore its ability to process and ship orders to its many customers and partners. The company has apologized for any disruption this issue is causing its customers, vendor partners, and many others. It is still unclear when the systems will be fully restored and normal business operations can finally resume. The ransom note claims to have stolen a wide variety of information, but this is generic language.
Reference: