Ransomware gang sets deadline to leak 3.5 TB of Ingram Micro data
(2025/07/30)
- Reference: 1753880540
- News link: https://www.theregister.co.uk/2025/07/30/ingram_micro_ransomware_threat/
- Source link:
The cybercriminals claiming responsibility for Ingram Micro's ransomware attack put a deadline on leaking its data nearly a month after the raid.
The SafePay ransomware group posted Ingram Micro to its leak blog on July 29, saying it intends to release 3.5 TB of company data on August 1.
In typical double extortion ransomware scenarios, attackers post information about the victim to a leak blog as a pressure tactic. The idea is to heighten publicity about the attack, encouraging the victim to pay the attacker's extortion demands.
Ingram Micro confirms ransomware behind multi-day outage [1]READ MORE
Although Ingram Micro previously said it had contained the incident, its appearance on SafePay's website suggests that – if it was being extorted as per the ransomware playbook – it did not pay up.
The Register approached both Ingram Micro and SafePay for more information.
[2]
Ingram Micro's listing on SafePay's ransomware leak site
Ingram Micro has not updated its public information page about the ransomware attack since July 9, [3]the day it says it restored global business operations .
The update states: "Ingram Micro is pleased to report that we are now operational across all countries and regions where we transact business. Our teams continue to perform at a swift pace to serve and support our customers and vendor partners.
[4]FBI: Watch out for these signs Scattered Spider is spinning its web around your org
[5]Security pros are drowning in threat-intel data and it's making everything more dangerous
[6]Advisor to Brit tech contractors Qdos confirms client data leak
[7]UK to ban ransomware payments by public sector organizations
"We are grateful for the support we've received from our customers and industry colleagues. This is an industry based on strong and committed relationships that make all the difference."
Sources who spoke to The Register at the time of the attack complained about the company's communications and not knowing where to look for information.
Websites still being restored
Infosec watchers also [8]spotted the distie restoring some of its lesser-used websites this week, which had remained offline since the attack.
Ingram Micro restored its Middle East, Turkey, and Africa (META) security website, which it uses to promote consultancy and training services, and security solutions.
[9]
It is now back up and running, although some assets are still not loading due to certain subdomains not being found, and the content does not appear to have been updated in years. ®
Get our [10]Tech Resources
[1] https://www.theregister.com/2025/07/06/ingram_micro_confirms_ransomware_behind/
[2] https://regmedia.co.uk/2025/07/30/safepay_ingram_micro_leak_blog.jpg
[3] https://www.theregister.com/2025/07/09/ingram_micro_restarts_orders_for/
[4] https://www.theregister.com/2025/07/29/fbi_scattered_spider_alert/
[5] https://www.theregister.com/2025/07/28/security_pros_drowning_in_threatintel/
[6] https://www.theregister.com/2025/07/25/ir35_advisor_qdos_confirms_data_breach/
[7] https://www.theregister.com/2025/07/22/uk_to_ban_ransomware_payments/
[8] https://cyberplace.social/@GossiTheDog/114937779582630742
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aIpBiVKwEP6FaQtMSQT44AAAAII&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[10] https://whitepapers.theregister.com/
The SafePay ransomware group posted Ingram Micro to its leak blog on July 29, saying it intends to release 3.5 TB of company data on August 1.
In typical double extortion ransomware scenarios, attackers post information about the victim to a leak blog as a pressure tactic. The idea is to heighten publicity about the attack, encouraging the victim to pay the attacker's extortion demands.
Ingram Micro confirms ransomware behind multi-day outage [1]READ MORE
Although Ingram Micro previously said it had contained the incident, its appearance on SafePay's website suggests that – if it was being extorted as per the ransomware playbook – it did not pay up.
The Register approached both Ingram Micro and SafePay for more information.
[2]
Ingram Micro's listing on SafePay's ransomware leak site
Ingram Micro has not updated its public information page about the ransomware attack since July 9, [3]the day it says it restored global business operations .
The update states: "Ingram Micro is pleased to report that we are now operational across all countries and regions where we transact business. Our teams continue to perform at a swift pace to serve and support our customers and vendor partners.
[4]FBI: Watch out for these signs Scattered Spider is spinning its web around your org
[5]Security pros are drowning in threat-intel data and it's making everything more dangerous
[6]Advisor to Brit tech contractors Qdos confirms client data leak
[7]UK to ban ransomware payments by public sector organizations
"We are grateful for the support we've received from our customers and industry colleagues. This is an industry based on strong and committed relationships that make all the difference."
Sources who spoke to The Register at the time of the attack complained about the company's communications and not knowing where to look for information.
Websites still being restored
Infosec watchers also [8]spotted the distie restoring some of its lesser-used websites this week, which had remained offline since the attack.
Ingram Micro restored its Middle East, Turkey, and Africa (META) security website, which it uses to promote consultancy and training services, and security solutions.
[9]
It is now back up and running, although some assets are still not loading due to certain subdomains not being found, and the content does not appear to have been updated in years. ®
Get our [10]Tech Resources
[1] https://www.theregister.com/2025/07/06/ingram_micro_confirms_ransomware_behind/
[2] https://regmedia.co.uk/2025/07/30/safepay_ingram_micro_leak_blog.jpg
[3] https://www.theregister.com/2025/07/09/ingram_micro_restarts_orders_for/
[4] https://www.theregister.com/2025/07/29/fbi_scattered_spider_alert/
[5] https://www.theregister.com/2025/07/28/security_pros_drowning_in_threatintel/
[6] https://www.theregister.com/2025/07/25/ir35_advisor_qdos_confirms_data_breach/
[7] https://www.theregister.com/2025/07/22/uk_to_ban_ransomware_payments/
[8] https://cyberplace.social/@GossiTheDog/114937779582630742
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aIpBiVKwEP6FaQtMSQT44AAAAII&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[10] https://whitepapers.theregister.com/
Re: Basics?
Lee D
50 minutes on a 10Gbit leased line.
A terabyte is literally pathetic amounts of data for a large place like that and I guarantee they have way more than 10Gbit.
Plus... nobody is looking for, or will notice, slower data extraction. That blip wouldn't even SHOW on the networking of your average primary school (which are now being required to have 10Gbit leased lines), let alone a huge IT company.
And even looking for it... they're already inside, they've only got to talk an SSL session out to, say, Azure or Google Drive and how would you tell that from Marketing uploading a video to their OneDrive? You wouldn't.
Honestly, it's just not the kind of thing people can spend resources looking at, because the false positives would be humungous. Do it out of hours, in slow trickles, etc. and you would never tell.
Basics?
Surely a basic monitor is for significant traffic, aggregrated over various time periods to catch steady trickle downloads as well as fast dumps?
3.5TB !!!