The Safepay ransomware gang has given IT distributor Ingram Micro until Friday to pay up or it will release 3.5TB of what it claims to be the company’s stolen data.
The threat appeared this week, listing the company on a countdown clock on the gang’s data leak site, according to Luke Connolly, a Canadian-based threat intelligence analyst at Emsisoft.
As we reported earlier this month, the ransomware attack that started around July 3 triggered a multi-day outage at the international distributor.
Ingram Micro has been asked for comment on this development. However, no reply had been received by press time. In its most recent statement on the attack, Ingram Micro Holdings said on July 9 that it is now operational across all countries and regions where it does business.
Safepay stands on its own
According to Emsisoft’s Connolly, Safepay currently lists 265 victims on its dark web data leak site. That’s a large number for less than a year of operation, he said in an email. The gang was identified in September 2024.
Safepay has used LockBit ransomware in the past, but any other relationship with the LockBit gang is unclear, he said.
Its site carries a boast that the gang is not a ransomware-as-a-service operation, meaning it doesn’t have affiliates to identify or initially compromise IT networks.
“While some ransomware groups seek out publicity,” Connolly said, “Safepay appears to prefer a lower profile, possibly due to successful law enforcement activity to identify individuals behind prolific ransomware gangs.”
This may be one reason it doesn’t use affiliates, he added.
According to a recent report by NCC Group on cyber incidents in the second quarter of this year, Safepay was the fourth biggest ransomware player during the three-month period, behind Qilin, Akira and Play. But looking at May alone, it made 70 attack claims, which made it the most active threat group for the month.
Among its known victims, said NCC Group, was Microlise, a logistics technology firm that saw the exfiltration of 1.2TB of company data and the encryption of its virtual machines.
Ransomware attacks increase
In a report on ransomware released this week, researchers at Zscaler ThreatLabz said the number of organizations listed on all ransomware leak sites rose 70% in the 12 month period ending in April.
A growing number of ransomware operators are abandoning encryption of data in favour of just data extortion, it noted. For example, Hunters International said in June it was shutting down ransomware operations to focus only on extortion.
Despite some successes by international law enforcement agencies against ransomware gangs, Zscaler researchers identified 34 newly active ransomware families during the analysis period, bringing the total number tracked to 425 since its research began. One of the newest gangs calls itself World Leaks, believed to be born from Hunters International.
Among the Zscaler report’s findings
• Hunters International (formerly called Hive before it was crippled by the FBI) significantly increased its alleged total data stolen year-over-year to 122TB, up from 37.7TB. The median claimed data loss per victim also rose to approximately 359GB from 300GB.
• DragonForce made the highest percentage jump in total claimed exfiltration volume, to 20.3TB from 4.2TB
• Dark Angels had the highest median impact per victim of 5TB. This tracks with the group’s continued focus on large, high-value targets over fewer overall incidents, says the report.
CSOs should note that, according to the Zscaler report, ransomware groups are increasingly leveraging vulnerabilities in critical enterprise technologies to execute their attacks.
“Nearly all of these vulnerabilities are easily exploited because they are internet-facing applications that can be discovered through basic scanning techniques,” said the report. “Key targets include VPNs, backup systems, hypervisors, remote access tools, and file transfer applications—technologies that are pervasive across organizations and essential to operations.”
CSOs who still have no organized plan for protecting against ransomware attacks would do well to consult the Institute for Security + Technology’s Blueprint for Ransomware Defense. It’s a curated subset of essential cyber hygiene safeguards from the Center for Internet Security Critical Security Controls.
As for whether firms should pay ransoms to get access back to their data, governments urge victims not to give in, while at the same time acknowledging that the sensitivity of exposed stolen data will be a factor in decisions. Management should also understand that promises crooks make to destroy stolen data if they are paid can’t always be trusted.
Nonetheless, in April, we reported that, according to research from Rubrik Zero Labs, 86% of organizations surveyed admitted to paying ransom demands following a cyberattack in the past 12 months.