Brinztech Alert: Safepay Ransomware Hackers Threaten to Publish 3.5 TB of Ingram Micro Data

News Analysis: Safepay Hackers Threaten to Publish 3.5 TB of Allegedly Stolen Ingram Micro Data

A dark web countdown clock and a hacker forum post from the Safepay ransomware group have put a global IT services giant, Ingram Micro, under extreme pressure. The group is threatening to publish 3.5 TB of data allegedly stolen from the company, with a deadline of August 1st. This incident is a prime example of the growing trend of “double extortion” ransomware, where attackers prioritize data theft and extortion over simple system encryption.

Ingram Micro, a vital component of the global IT supply chain, confirmed on July 5th that it had been a victim of a ransomware attack. While the company stated that the incident was “contained and remediated” and that all global operations were restored by July 9th, its official statements have been silent on the data theft, saying that the investigation into the “scope of the incident and affected data is ongoing.” This stands in stark contrast to the threat actor’s public claims.

Key Insights into the Ingram Micro Ransomware Attack

This ransomware incident carries several critical implications:

• Escalation of Ransomware Tactics: The attack by Safepay is a clear example of the evolution of ransomware tactics. The group, which shares similarities with the notorious LockBit ransomware family, is a “double extortion” threat actor that not only encrypts a victim’s systems but also exfiltrates a vast amount of data to be used as leverage. This approach is highly effective because even if a company has backups and can restore its systems, it still faces the severe reputational and legal damage of a public data leak.
• Significant Supply Chain Risk: Ingram Micro’s role as a major global distributor of technology products and services means a breach of this nature poses a significant supply chain risk. The leaked data, which could contain sensitive information about the company’s partners and managed service providers (MSPs), could be used by the threat actors to launch further attacks on a wide range of companies, creating a cascading effect on the entire IT ecosystem.
• Financial and Reputational Pressure: The countdown clock on Safepay’s leak site is a deliberate tactic to place more pressure on Ingram Micro to pay the ransom. The threat of a public data leak, which could expose sensitive customer information, trade secrets, and other confidential data, can be a powerful incentive for a company to pay. The fact that the countdown clock is still running suggests that Ingram Micro has not opted to pay, which could be a sign of a strong security posture or a strategy to negotiate a lower ransom.
• Sophisticated and Evasive Tactics: According to cybersecurity researchers, the Safepay group uses a variety of sophisticated and evasive tactics, including exploiting vulnerabilities in RDP and VPN gateways, abusing legitimate remote management tools, and using tools like WinRAR and FileZilla for data exfiltration. This highlights the need for companies to have a robust security posture that goes beyond simple perimeter defenses.

Critical Mitigation Strategies for Ingram Micro and the IT Ecosystem

In response to this attack, immediate and robust mitigation efforts are essential:

• Urgent Forensic Investigation and Threat Hunting: Ingram Micro must continue its thorough forensic investigation to verify the extent of the data theft and identify the initial point of entry. It is also critical to conduct aggressive threat hunting to search for any signs of the threat actor’s presence on the network, such as backdoors or persistent access.
• Enhanced Access Controls and MFA: Organizations can protect against attacks by placing strict access controls on their systems and enforcing strong authentication measures, such as Multi-Factor Authentication (MFA), for all user accounts, especially those with privileged access. This is a crucial step to prevent unauthorized access even if credentials are stolen.
• Proactive Vulnerability Management: Companies should have a robust vulnerability management program that includes monitoring for newly discovered vulnerabilities in their systems and applications, and patching them as soon as possible. Secure VPN connections are also a crucial defense against attacks that exploit weaknesses in remote access protocols.
• Third-Party Risk Management: Given the supply chain risk, Ingram Micro’s partners and MSPs must also be vigilant. They should have a strong security posture and an incident response plan in place to mitigate any potential damage from a third-party breach.

Need Further Assistance?

If you have any further questions regarding this critical incident, suspect your personal data or your organization’s sensitive information may be compromised, or require advanced cyber threat intelligence and dark web monitoring services, you are encouraged to use the ‘Ask to Analyst’ feature to consult with a real expert, contact Brinztech directly, or, if you find the information irrelevant, open a support ticket for additional assistance.