{"id":4183,"date":"2025-07-31T01:21:15","date_gmt":"2025-07-31T01:21:15","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4183"},"modified":"2025-07-31T01:21:15","modified_gmt":"2025-07-31T01:21:15","slug":"ransomware-gang-tells-ingram-micro-pay-up-by-august-1","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4183","title":{"rendered":"Ransomware gang tells Ingram Micro, \u2018Pay up by August 1\u2019"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The Safepay ransomware gang has given IT distributor Ingram Micro until Friday to pay up or it will release 3.5TB of what it claims to be the company\u2019s stolen data.<\/p>\n

The threat appeared this week, listing the company on a countdown clock on the gang\u2019s data leak site, according to Luke Connolly, a Canadian-based threat intelligence analyst at Emsisoft<\/a>.<\/p>\n

As we reported earlier this month<\/a>, the ransomware attack that started around July 3 triggered a multi-day outage at the international distributor.<\/p>\n

Ingram Micro has been asked for comment on this development. However, no reply had been received by press time. In its most recent statement<\/a> on the attack, Ingram Micro Holdings said on July 9 that it is now operational across all countries and regions where it does business.<\/p>\n

Safepay stands on its own<\/h2>\n

According to Emsisoft\u2019s Connolly<\/a>, Safepay currently lists 265 victims on its dark web data leak site. That\u2019s a large number for less than a year of operation, he said in an email. The gang was identified in September 2024.<\/p>\n

Safepay has used LockBit ransomware in the past, but any other relationship with the LockBit gang is unclear, he said.<\/p>\n

Its site carries a boast that the gang is not a ransomware-as-a-service operation, meaning it doesn\u2019t have affiliates to identify or initially compromise IT networks.<\/p>\n

\u201cWhile some ransomware groups seek out publicity,\u201d Connolly said, \u201cSafepay appears to prefer a lower profile, possibly due to successful law enforcement activity to identify individuals behind prolific ransomware gangs.\u201d<\/p>\n

This may be one reason it doesn\u2019t use affiliates, he added.<\/p>\n

According to a recent report<\/a> by NCC Group on cyber incidents in the second quarter of this year, Safepay was the fourth biggest ransomware player during the three-month period, behind Qilin, Akira and Play. But looking at May alone, it made 70 attack claims, which made it the most active threat group for the month.<\/p>\n

Among its known victims, said NCC Group, was Microlise, a logistics technology firm that saw the exfiltration of 1.2TB of company data and the encryption of its virtual machines.<\/p>\n

Ransomware attacks increase<\/h2>\n

In a report on ransomware<\/a> released this week, researchers at Zscaler ThreatLabz said the number of organizations listed on all ransomware leak sites rose 70% in the 12 month period ending in April.<\/p>\n

A growing number of ransomware operators are abandoning encryption of data in favour of just data extortion, it noted. For example,\u00a0Hunters International said in June it was shutting down ransomware operations<\/a> to focus only on extortion.<\/p>\n

Despite some successes by international law enforcement agencies against ransomware gangs, Zscaler researchers identified 34 newly active ransomware families during the analysis period, bringing the total number tracked to 425 since its research began. One of the newest gangs calls itself World Leaks, believed to be born from Hunters International.<\/a><\/p>\n

Among the Zscaler report\u2019s findings<\/p>\n

\u2022 Hunters International (formerly called Hive before it was crippled by the FBI<\/a>) significantly increased its alleged total data stolen year-over-year to 122TB, up from 37.7TB. The median claimed data loss per victim also rose to approximately 359GB from 300GB.<\/p>\n

\u2022 DragonForce made the highest percentage jump in total claimed exfiltration volume, to 20.3TB from 4.2TB\u00a0<\/p>\n

\u2022 Dark Angels had the highest median impact per victim of 5TB. This tracks with the group\u2019s continued focus on large, high-value targets over fewer overall incidents, says the report.<\/p>\n

CSOs should note that, according to the Zscaler report, ransomware groups are increasingly leveraging vulnerabilities in critical enterprise technologies to execute their attacks.<\/p>\n

\u201cNearly all of these vulnerabilities are easily exploited because they are internet-facing applications that can be discovered through basic scanning techniques,\u201d said the report. \u201cKey targets include VPNs, backup systems, hypervisors, remote access tools, and file transfer applications\u2014technologies that are pervasive across organizations and essential to operations.\u201d<\/p>\n

CSOs who still have no organized plan for protecting against ransomware attacks would do well to consult the Institute for Security + Technology\u2019s Blueprint for Ransomware Defense.<\/a> It\u2019s a curated subset of essential cyber hygiene safeguards from the\u00a0Center for Internet Security Critical Security Control<\/a>s.<\/p>\n

As for whether firms should pay ransoms to get access back to their data, governments urge victims not to give in, while at the same time acknowledging that the sensitivity of exposed stolen data will be a factor in decisions. Management should also understand that promises crooks make to destroy stolen data if they are paid can\u2019t always be trusted.<\/p>\n

Nonetheless, in April, we reported that, according to research from Rubrik Zero Labs, 86% of organizations surveyed admitted to paying ransom demands<\/a> following a cyberattack in the past 12 months.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The Safepay ransomware gang has given IT distributor Ingram Micro until Friday to pay up or it will release 3.5TB of what it claims to be the company\u2019s stolen data. The threat appeared this week, listing the company on a countdown clock on the gang\u2019s data leak site, according to Luke Connolly, a Canadian-based threat […]<\/p>\n","protected":false},"author":0,"featured_media":4184,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4183","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4183"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4183"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4183\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4184"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4183"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4183"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4183"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}