The California-based distributor added that it was “working diligently to restore the affected systems so that it can process and ship orders”
Ingram Micro, one of the world’s largest IT distributors, has confirmed a ransomware attack was responsible for a widespread service disruption that began late last week and continued through the holiday weekend.
The outage first came to light on Thursday when managed service providers (MSPs), resellers, and solution providers reported being unable to access Ingram Micro’s websites and place online orders. The incident, which left key systems including the distributor’s Xvantage platform offline, sparked speculation of a cyber attack—particularly given the timing over a long weekend, a favoured window for ransomware operations.
In a statement released on Saturday evening, Ingram Micro acknowledged the incident was the result of ransomware. “Ingram Micro recently identified ransomware on certain of its internal systems,” the company said. “Promptly after learning of the issue, the company took steps to secure the relevant environment, including proactively taking certain systems offline and implementing other mitigation measures. The company also launched an investigation with the assistance of leading cybersecurity experts and notified law enforcement.”
The California-based distributor added that it was “working diligently to restore the affected systems so that it can process and ship orders”, and issued an apology to customers and vendor partners for the disruption. It also filed an 8-K form with the US Securities and Exchange Commission outlining the nature of the attack.
While the company has not disclosed the identity of the attackers, reports from Bleeping Computer suggest the ransom note left on compromised systems may be linked to the SafePay ransomware gang. The group, first observed in 2024, has rapidly become one of the most active threat actors, responsible for 18 per cent of all ransomware attacks in May, according to NCC Group’s Threat Pulse report.
SafePay, unlike many ransomware gangs, claims it does not operate a ransomware-as-a-service (RaaS) model, instead carrying out attacks directly. At the time of reporting, there was no mention of Ingram Micro on SafePay’s leak site—a delay not uncommon as gangs often wait several days before publicly identifying victims to increase negotiation pressure.
The implications for Ingram Micro’s customers are still unfolding. Many rely on the company’s infrastructure for software provisioning, order management, and service delivery. One MSP executive, speaking anonymously to Dark Reading, expressed concern that attackers could potentially exploit Ingram Micro’s platform to gain further access into customer environments. The executive said their organisation was in the process of revoking third-party privileged access to its Microsoft tenant as a precaution.
The incident recalls previous high-profile attacks on MSPs, notably the Revil ransomware campaign in July 2021 that exploited a zero-day vulnerability in Kaseya’s VSA platform to compromise roughly 1,500 businesses globally.
As of Tuesday, Ingram Micro’s US website appeared to be operational, although several subdomains and regional sites remained inaccessible, instead displaying a message confirming the cybersecurity incident and linking to the firm’s public statement. Core platforms such as Xvantage, used by customers for purchasing hardware, software, and services, continue to be offline.
Headquartered in Irvine, California, Ingram Micro has long been a dominant force in global IT distribution. The company was acquired by Chinese conglomerate HNA Group in 2016 for around USD 6 billion, before private equity firm Platinum Equity took over in 2021 for USD 7.2 billion. Last October, Ingram Micro returned to public markets with an initial public offering that raised roughly USD 409 million.
The latest incident underscores the increasing vulnerability of major digital supply chains, especially those with deep integration into customer and partner ecosystems. Ransomware attacks, particularly those timed over holidays, remain one of the most persistent threats to enterprise operations worldwide.
