A ransomware attack that crippled the global IT distributor Ingram Micro in July exposed the personal data of employees and job applicants, underscoring how newer cybercrime groups are stepping into a vacuum left by the disruption of older, more notorious gangs.
A New Ransomware Group Moves Into the Foreground
SafePay first surfaced in September 2024 as a relatively obscure ransomware operation, operating quietly while building what cybersecurity researchers describe as a growing list of victims. Over the months that followed, the group began publishing hundreds of organizations on its dark web leak site—though experts caution that the true number of victims is likely far higher, since only companies that refuse to pay are typically named.
By early 2025, SafePay had become markedly more active. Analysts say it has gradually filled the operational space left by the takedowns and internal disruptions that weakened older ransomware syndicates such as LockBit and BlackCat. Like many contemporary ransomware groups, SafePay relies on a double-extortion model: stealing sensitive files before encrypting systems, then threatening public disclosure if demands are not met.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
The July Breach at Ingram Micro
The group’s growing prominence came into sharper focus after a July 2025 cyberattack on Ingram Micro, one of the world’s largest technology distributors. According to breach notification letters filed with Maine Attorney General and sent to affected individuals, attackers accessed internal file repositories and removed documents containing a wide range of personal information, including Social Security numbers.
Ingram Micro said it detected the incident on July 3, 2025, and quickly began investigating. The company determined that an unauthorized third party had accessed and taken certain files between July 2 and July 3. The stolen data included employment and job applicant records, with personal details such as names, contact information, dates of birth, government-issued identification numbers—including Social Security, driver’s license, and passport numbers—and some employment-related evaluations.
Operational Disruption and Unanswered Questions
Beyond the data theft, the attack caused significant operational disruption. The ransomware deployment triggered a widespread outage that took down Ingram Micro’s internal systems and website, prompting the company to ask employees to work from home while systems were restored.
Initially, Ingram Micro did not publicly attribute the breach to a specific threat group. However, reporting by BleepingComputer on July 5 identified SafePay as the likely culprit. The company later confirmed that ransomware had been deployed on its systems, though it stopped short of formally naming the group responsible. An Ingram Micro spokesperson did not respond to follow-up questions seeking additional detail or confirmation of SafePay’s involvement
A Claim of Responsibility and a Larger Pattern
Three weeks after the incident, SafePay publicly claimed responsibility, adding Ingram Micro to its dark web leak portal and asserting that it had stolen 3.5 terabytes of data. The claim aligned with SafePay’s established pattern: listing victims only after negotiations fail or stall, and using the threat of public exposure to apply pressure.
