Full Report
Ingram Micro published a statement on Saturday saying it discovered “ransomware on certain of its internal systems,” which it immediately took offline.
Analysis Summary
# Incident Report: Ingram Micro Ransomware Attack
## Executive Summary
Ingram Micro, a major global IT products and services provider, experienced a ransomware attack just before the July 4 holiday weekend. The incident was discovered when the company identified ransomware on internal systems, leading to the immediate isolation of affected systems. The attack was attributed to the SafePay ransomware gang, causing significant operational disruption while the company worked with experts to restore services.
## Incident Details
- Discovery Date: Saturday (date relative to the publication)
- Incident Date: Prior to Saturday, preceding the July 4 holiday weekend
- Affected Organization: Ingram Micro
- Sector: IT Products and Services / Technology Distribution
- Geography: Global (company has offices across Americas, Europe, Asia, Middle East)
## Timeline of Events
### Initial Access
- Date/Time: Unknown, prior to Saturday
- Vector: Ransomware deployment (specifically attributed to SafePay group)
- Details: Ransomware was discovered on certain internal systems.
### Lateral Movement
- Details: Not explicitly detailed in the provided context, but implies movement led to the compromise of multiple internal systems requiring shutdown.
### Data Exfiltration/Impact
- Details: The potential for significant data exfiltration exists, as the SafePay group typically steals data (average of 111 GB per victim tracked by Comparitech). The immediate impact was the outage of systems necessary to process and ship orders.
### Detection & Response
- Date/Time: Attributed statement released Saturday. Outages first reported on Thursday.
- Details: Ingram Micro immediately took affected systems offline upon discovery, launched an investigation with leading cybersecurity experts, and notified law enforcement.
## Attack Methodology
- Initial Access: Ransomware infection deployed by the **SafePay** ransomware gang.
- Persistence: Not specified, but maintained long enough to deploy ransomware across "certain internal systems."
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified.
- Credential Access: Not specified.
- Discovery: Not specified.
- Lateral Movement: Implied, as "certain internal systems" were impacted.
- Collection: Highly probable, given SafePay's typical modus operandi of data theft.
- Exfiltration: Not confirmed, but characteristic of the assumed threat actor.
- Impact: Operational disruption due to system shutdowns necessary for containment.
## Impact Assessment
- Financial: Not disclosed, though the company reported $48 billion in sales the previous fiscal year, suggesting potential major impact.
- Data Breach: Potential data exfiltration; SafePay often steals significant volumes of data (Average 111 GB).
- Operational: Significant disruption to the ability to process and ship orders, leading to an apology to customers and partners.
- Reputational: Disruption during a major holiday weekend period.
## Indicators of Compromise
- Network indicators: None provided (defanged).
- File indicators: None provided.
- Behavioral indicators: Ransomware activity detected on internal systems.
## Response Actions
- Containment measures: Immediately took affected internal systems offline upon discovery.
- Eradication steps: Engaged leading cybersecurity experts to assist with the investigation and remediation.
- Recovery actions: Working diligently to restore affected systems to resume order processing and shipping.
## Lessons Learned
- The reliance on critical internal systems that cannot sustain rapid interruption without severe operational impact (shipment processing).
- The importance of continuous monitoring, as outages were reportedly known by Thursday, but the official statement was Saturday.
## Recommendations
- Review segmentation and isolation capabilities to limit the spread of ransomware across critical operational environments.
- Enhance threat intelligence capabilities specifically tracking ransomware groups like SafePay, whose tactics include data exfiltration preceding or concurrent with encryption.
- Ensure robust, isolated backups are maintained to facilitate faster recovery from wide-scale ransomware events.