Home
Date of Incident:
July 2-3, 2025
Overview:
In July 2025, Ingram Micro experienced a ransomware attack, resulting in a data breach impacting over 42,000 individuals. The attackers deployed ransomware through phishing and exploited vulnerabilities in public-facing applications. Critical system files were encrypted, and documents containing personal information, such as Social Security numbers and government IDs, were exfiltrated. The attack led to significant system outages and data leaks. Techniques used in the breach included phishing, application exploitation, data encryption, and protocol manipulation to disable defenses and move laterally. Key indicators of compromise were observed in network logs and system modifications. The incident was reported in January 2026.
>>Outpace Attackers With AI-Based Automated Penetration Testing
Impact:
Data breach affecting over 42,000 individuals, theft of documents with personal information including Social Security numbers, government-issued IDs, and employment-related information; system outage; ransomware deployed leading to data leaks.
Details:
The ransomware attack on Ingram Micro involved the deployment of a ransomware payload that leveraged initial access through phishing or exploited vulnerable public-facing applications. Mapping to MITRE ATT&CK techniques, the attack encompassed T1566 (Phishing), T1190 (Exploit Public-Facing Application), T1486 (Data Encrypted for Impact), and T1071 (Application Layer Protocol). The ransomware payload encrypted critical system files and exfiltrated documents containing PII including Social Security numbers and government IDs before encrypting data. Indicators of Compromise (IOCs) include C2 IP addresses observed in network logs, file hashes of the ransomware binary, registry modifications to establish persistence, and unusual file extensions appended to encrypted files. Relevant log artifacts include Windows Event IDs 4663 (file access) and 7045 (service installation), alongside anomalous network flows to identified malicious IP addresses. PoC code behavior indicated the ransomware initiated by executing PowerShell scripts to disable antivirus defenses and performed lateral movement through SMB protocol exploitation.
Remediation:
Vendor guidance includes immediate application of security patches for all public-facing applications and endpoints, disabling SMBv1, blocking identified C2 domains at the firewall, and implementation of endpoint detection and response (EDR) solutions to detect anomalous behaviors. Temporary mitigations involve network segmentation, enhanced monitoring of critical assets, and offline backups for rapid restoration. Known workarounds include deploying multi-factor authentication (MFA) to reduce phishing success and adopting least privilege access principles to limit ransomware spread.
Takeaway for CISO:
This incident highlights the high impact of ransomware on supply chain entities with significant exposure of personal data and operational disruption. CISOs should prioritize comprehensive endpoint protection, proactive threat hunting, and swift patch management to mitigate such threats. Emphasizing user awareness campaigns and robust incident response planning is essential to limit ransomware dwell time and downstream data leakage risks.
