Ingram Micro Partners ‘Concerned’ About Claimed SafePay Data Theft

Solution providers tell CRN they fear their own company’s or their customers’ data could be made public in the wake of reports that the SafePay ransomware organization has stolen 3.5 terabytes of Ingram Micro data and is threatening to publish it.

Afro american woman using laptop. Ransomware Malware Attack. Computer Hacked. Unrecognizable person, close up of hands and computer screen.

Ingram Micro partners told CRN they are concerned that confidential data from their companies or their customers could be made public by the SafePay ransomware organization.

The partner angst comes after Cyberdaily.au and BleepingComputer reported that on July 30, SafePay claimed credit for the ransomware attack earlier this month against Ingram Micro, adding the distributor to a published list of its claimed victims. SafePay said it has stolen 3.5 terabytes of Ingram Micro data and threatened to publish it within three days, according to Cyberdaily.au.

“This is highly concerning,” said the CEO of a Solution Provider 500 company, who did not want to be identified. “Think of all the confidential data, internal data from VARs like us and customer data, financial data, all of it. I am going to reach out immediately to Ingram to see if I can get any information on this. I am surprised we haven’t had any calls from our customers worried that their data may be exposed.”

CRN reached out to Ingram Micro but had not heard back at press time.

BleepingComputer reported July 5 that Ingram Micro had been hit by SafePay with a ransomware attack. Ingram Micro confirmed the ransomware attack in a statement later that day but did not name the attacker.

The $48 billion distributor’s last public disclosure on the ransomware attack came on July 9 when the company reported that it was “operational across all countries and regions” where it does business.

Solution provider executives told CRN that Ingram Micro has not been communicating enough about the attack and its impact, leaving many to surmise that the company is limiting its public commentary due to advice from its legal counsel or insurance company.

“I need to know something,” said the Solution Provider 500 CEO. “To not have any communication on this is extremely concerning. This makes us feel exposed.”

The CEO said if there is “bad news” regarding the ransomware attack and the alleged data theft, he would prefer to hear it directly from Ingram Micro.

“Right now we know nothing, so we assume the worst,” the CEO said.

The CEO for another Solution Provider 500 company, who did not want to be identified, said he is also “extremely concerned” that his company’s or his customers’ data could be made public on the dark web as a result of the Ingram Micro ransomware attack.

“We need to know where this stands,” said the solution provider executive. “All of us in the Ingram partner community are concerned about this.”

A Closer Look At SafePay

Danny Jenkins, the CEO of ThreatLocker, one of the top MSP security software providers, said he has no specific knowledge of the Ingram Micro situation, but he feels it is likely that SafePay is trying to negotiate with Ingram Micro.

Furthermore, Jenkins said there is no indication of what kind of data SafePay may have gotten from Ingram Micro. “We don’t know if there is any customer or partner data that is involved in this situation,” he said. “They could have literally taken a bunch of marketing data that is already publicly available.”

ThreatLocker research shows that SafePay is a relatively small ransomware organization that emerged in 2024, requiring victims to pay for “data decryption and to prevent publication” with “significant pressure” placed on negotiations with “personal phone calls” made to pressure payment.

Jenkins said Safepay employs an “opportunistic” rather than a “targeted” approach seeking out specific companies. He said the ransomware outfit exfiltrates data using commonly available Microsoft Windows tools, including Rclone. “There is evidence that this group has used Rclone very heavily,” he said.

As to Jenkins’ advice to any company hit by a ransomware attack: “Payment should be your absolute last resort. These are not exactly what you call good people. I would rather pay $1 million to restore my systems than $100,000 to a criminal organization to not make the data publicly available.”