Ingram Micro Ransomware: Lessons for MSPs (EP 869)

In this special episode, we break down the Ingram Micro ransomware incident, explore how it disrupted global IT operations, and discuss what every MSP can learn from it. Joined by industry expert Michael Crean, we dive into the real-world impact and the importance of resilience and community support.
The Ingram Micro cyber incident sent shockwaves through the IT world, but it’s more than just a headline—it’s a wake-up call for MSPs and IT providers everywhere. In this episode, I’m joined by Michael Crean to discuss the real impact, the lessons we all need to learn, and why compassion and community matter most when crisis hits. Let’s turn disruption into an opportunity for growth and better security.
Why Listen:
- Real-world breakdown of the Ingram Micro incident
- Insights from SonicWall’s Michael Crean
- Actionable tips for MSPs and IT providers
- Discussion on VPN vs. SASE security
- The importance of vendor transparency
- Emotional and business impact on the IT community
- Lessons for incident response and business continuity
- How AI is shaping both attacks and defenses
Guest: Michael Crean
Michael Crean is a seasoned cybersecurity expert and executive at SonicWall, known for his practical insights and deep experience in helping organizations defend against evolving threats. With a passion for education and community, Michael brings real-world advice to IT professionals everywhere.
Companies, Products, and Books Mentioned
- Ingram Micro: https://www.ingrammicro.com
- SonicWall: https://www.sonicwall.com
- TDSynnex: https://www.tdsynnex.com
- D&H: https://www.dandh.com
- Zix/AppRiver: https://www.zix.com
- Microsoft 365: https://www.microsoft.com/microsoft-365
- Dropbox: https://www.dropbox.com
- Fortinet: https://www.fortinet.com
- Checkpoint: https://www.checkpoint.com
- Palo Alto Networks: https://www.paloaltonetworks.com
- WatchGuard: https://www.watchguard.com
- TruGrid: https://www.trugrid.com
=== SPONSORS
- Livestream Partner, ThreatLocker: https://www.itbusinesspodcast.com/threatlocker
- Legacy Partner, NetAlly: https://www.itbusinesspodcast.com/netally/
- Internet Provider, Rythmz: https://www.itbusinesspodcast.com/rythmz
- Production Gear Partner, Liongard: https://www.itbusinesspodcast.com/liongard
- Travel Partner: Bvoip: https://www.itbusinesspodcast.com/bvoip
- Travel Partner: TruGrid: https://www.itbusinesspodcast.com/trugrid
- Digital Partner, Designer Ready: http://itbusinesspodcast.com/designerready
=== MUSIC
- Item Title: Upbeat & Fun Sports Rock Logo
- Item URL: https://elements.envato.com/upbeat-fun-sports-rock-logo-CSR3UET
- Author Username: AlexanderRufire
- Item License Code: 7X9F52DNML
=== Show Information
- Website: https://www.itbusinesspodcast.com/
- Host: Marvin Bee
- Uncle Marv’s Amazon Store: https://amzn.to/3EiyKoZ
- Become a monthly supporter: https://ko-fi.com/itbusinesspodcast
Today, we're diving into the Ingram Micro cyber incident, how a single breach exposed critical vulnerabilities, disrupted global operations, and delivered hard lessons for IT providers and managed service partners everywhere. Welcome to the IT Business Podcast. Hello, friends, Uncle Marv here with a very special edition of the IT Business Podcast.
Hope you all had a wonderful 4th of July. But of course, if we're here doing a video, something big must have happened. And I'm sure by now, you have heard Ingram Micro had a little incident where if you went to their website sometime on July 3rd, or after you came up to a screenshot that said, we are experiencing a cyber incident.
And as of this evening, which is July 7th, 2025, still down. So what happened, you say? So let's go through it. So basically about, let's see, July 3rd, the ransomware attack began causing widespread outages across Ingram Micro's global operations.
The attack has been claimed by the SafePay ransomware group, a relatively new but active threat actor known for targeting corporate environments via compromised VPN credentials and password spray attacks. Ingram Micro is one of the largest IT providers in the world. And the attack started around 8 a.m. on July 3rd.
Ingram Micro immediately took affected systems offline, isolated compromised areas, and began incident response procedures with internal and external cybersecurity experts. So sources indicate that the attackers may have gained access via Ingram Micro's Palo Alto Network's Global Protect VPN, potentially using stolen credentials or password spray attacks to bypass outdated multi-factor authentication protocols. However, this entry method has not been officially confirmed.
So the outage disrupted critical operations including order processing, logistics, and management of cloud licenses, which include 365 and Dropbox, and it rendered both the website and phone systems inoperable for customers and partners. So there is more there, but what I would like to do now is bring in one of our industry experts and a friend of mine, Michael Crean from SonicWall, and get his expert opinion and thoughts on this situation. Michael, welcome to the show.
Hey, Marv. How are you, sir? I'm good. Good to have you back.
It's been a while. It has been a little while. Yeah.
It's been a little while. And unfortunately, not here under the, not talking about happy things. No, we're not.
And I wanted to bring you on because, you know, I, of course, go out and read the news. I read the socials, and I see the comments being made about people in a panic because they can't place their orders. Then, of course, we're speculating about what security measures were in place, were not in place, and what that means for the rest of us.
And let me just first get your thoughts. What do you think is going on? Well, I mean, obviously, they've admitted that they've had a ransomware event. You know, we know that for sure.
There is far too much speculation on all of the things that Ingram did wrong. Now is not the time to speculate. And obviously, now is not the time to do the whole, you know, you get what you get, or you reap what you sow, and it serves them right.
Like, look, I don't care. Like them, not like them. They've done you wrong.
They've done you right, whatever it may be. Nobody deserves to get ransomed. That's first and foremost.
We do have to be a better community of supporting one another in their time of need. Now, maybe it comes out that they did some things wrong. Maybe it comes out that they did nothing wrong, and this was just a highly targeted strategic attack.
Maybe. What do we know? Like, we know they got hit with ransomware. We know their systems are offline.
But beyond that, we don't know a whole lot. Compassionate kindness is probably where we need to be at the moment, because it's affecting people. It's affecting their daily lives.
You know, this isn't just about Ingram. Think about all of the MSPs out there that are trying to buy a Microsoft license or order a Dell computer or a firewall or a switch or whatever it may be. It's impacting their businesses because now they've got deadlines they can't meet and all of these operations that are being suspended.
They can't move forward with what their clients want them to do. So, let's go ahead and start with that because, yes, I saw a lot of that as well. And full disclaimer, I purchased from Ingram Micro.
They're not the only company that I purchased for. In fact, I belong to all of the big distributors, TDSynnex, D&H. I also purchased 365 licenses through ZIX AppRiver.
So, did it affect me? Yes, I had some memory that was on backorder. I have no idea if it's shipped or not. But I have other sources that I can go and get stuff from.
So, just like Ingram Micro, you know, we expect them to have an incident response plan and a backup, we ourselves need to have backups as well with having access to other vendors and other ways to procure both hardware and licenses. No, I 100% agree. I mean, you know, there's lots of ways of looking at this.
And unfortunately, I think you and I have read some of the comments out there. It's like, well, now I'm taking all my business to whomever. I'll never buy from Ingram again.
You know, I'm done with them forever. These are emotional responses. Unfortunately, it's sometimes how people act in a moment of crisis because it's all about them and it's less about the community or the, you know, the suffering of, you know, think about all the Ingram employees that can't do their job, that are getting panicked phone calls, that they're just having to say, we're doing our best.
We're trying our hardest. We're trying to get them back online, but they don't know when the systems are coming to come back online. I think it's good to have a plan B. I mean, I don't live my life too often with a plan B, because then you're just assuming that plan A is going to fail.
But in these situations, I mean, I said this, if you only ever went to one gas station in your life to get gas, but all of a sudden that gas station didn't have gas, would you just not drive your car? I mean, I think you're smart for having at least a second or a third way to go buy your SonicWall, your Fortinet, your Checkpoint, your Palo Alto, your Microsoft licensing, whatever it may be. If it's urgent and you can't wait, then go to one of these other vendors that can help you out. It's only smart.
In the same way we're talking about procuring equipment and licenses, the way that we have our people access systems remotely, and again, full disclosure, I have some customers on VPN, actually through SonicWall. We're using the firewall with the global VPN product. I have some that are on TruGrid remote access.
So I've got two options there. Tell me what you think about the fact that everybody all of a sudden now is pounding on VPN. The world's been kind of poo-pooing VPN for a little while now, claiming that SASE is the new way to do it.
What are your thoughts there? So I think that all of the manufacturers, and I'm not absolving SonicWall, I think it's all of us. I think it's Fortinet, Checkpoint, Palo Alto, WatchGuard, you know, SonicWall. We're all having some of the same challenges and issues when it comes to the SSL VPN technology.
It's being highly attacked. Obviously, the pandemic hyper-charged the use of it for working from home and remote access and getting people into the office. I mean, unfortunately, there's still a lot of open RDP out there that's happening with no VPN on top of it.
But when you have something that becomes so highly targeted in its attack, and it becomes highly focused, and that's why we're seeing the vulnerabilities the way that we're seeing them. I do believe that the SSE, ZTNA, SASE, I mean, there's so many acronyms that we can throw at this thing because it just means a little bit of something to everybody else, but let's just call it the cloud-native VPN technology. I do personally believe it is far more secure.
I think it's faster. I think it's harder to compromise. We also don't know what we don't know.
Maybe in 10 years from now, we're looking at the SSE, ZTNA, SASE technology and say, wow, we're now getting eaten alive by that because now that's where all the threat actors are focusing their time and they're finding ways to get around it. There's a lot of differences between the way you can do like a continuously authenticating technology that is looking to truly identify you by maybe installing a certificate on a machine, using MFA, doing something more than just the typical two things, your username and your password. That's a big failure.
That's really taking place a lot today with the VPNs. Do you think AI is having a big part of this as well? We already know that there's a possibility that stuff was grabbed from the dark web, but AI on either side, I guess, on the bad actor side and on our side, how do you think AI is playing a part in all of this? I don't know. I mean, I think it's two pronged and I think it's like two totally different answers.
On the threat actor side, absolutely. They are using AI. It's helping them get through their algorithms faster.
It's helping them to parse through and crunch data quicker. It's helping them get to the result of what they're looking for because AI is doing a lot of heavy lifting for them. Just like on the good side of the defense, the people that are running the SOCs and the MDR services, certainly they're using AI to get through 99% of the trash, bring out that 1% that needs more of a deeper investigation.
The part where I think that it's weakened us, it's weakening us as an industry, and I believe it's also weakening us as a little bit of a society here because all we hear is every vendor talking about AI, how great it is, how amazing it is, how wonderful, all the time savings and all of the benefits that we get to it. But then what about all the fundamentals? What about doing good patch management? What about making sure you've got role-based access control? What about making sure that you're constantly using MFA? What about making sure that you've got conditional access in place? All of these fundamental pieces that AI is becoming such a stronghold topic that I think we're forgetting to do the fundamentals of the basics. And AI can't stop us.
Well, AI can't fix stupid. And right now we're acting a little too stupid. Very interesting.
So we know, of course, the impact of this for Ingram's got to be substantial. Multiple delays, you know, in terms of days, potential financial stuff. We already mentioned the reputational concerns with people claiming they'll take their business elsewhere.
But a lot of this is really lessons for us. We kind of mentioned that this can happen to anybody. If we're talking about a user account for somebody that's gone, but hasn't been terminated, hasn't been disabled, password changed, or anything like that.
Or we're talking about that person that we turned off MFA because we were having an issue and it was just easier. Those things like that. Can you think of any other lessons that MSP should take away from this? Well, I mean, let's be clear, Marv.
What makes the news? You know, there was an old statement that this old reporter told me one time. It says, if it bleeds, it leads. So the bigger the story, the more sensational it is.
Those are the things that we hear and we talk about. So I will bet you somewhere in the last 72 hours, there's been a bunch of small businesses that have had credential theft, that have had business email compromised, that have probably got somebody running around in their network doing things that they may not even know, or maybe have been hit with ransomware, but it's not big enough to talk about. So we're talking about this today because it is a huge, massive interruption.
I mean, we're talking about Ingram Micro, somebody that's stoned globally to who knows how many people it was worth. I don't even know what the billions of dollars that Ingram is worth, but it's quite big. I'd love to have the interest off of that for one day, is what I'd like to have.
I think the lessons learned here are that it happens to everybody, but we're talking about this one because it's huge. It has interrupted lots of our lives. But again, in sport, let's not kick them when we're down because we don't even know that they should be kicked.
We should be, hey, look, if I've got a critical order, I'm going to go put it somewhere else. We're not leaving Ingram just because they've had a bad day in something that maybe they didn't do anything wrong. I'm a little bit of a betting man, and I like to play a few odds in Vegas.
I don't think I'm going to put all my chips in and go all in that they did nothing wrong because it's very, very rare in most of these compromises. But I'm not willing to cast that vote yet. Yeah.
So one of the things that I really liked about what they did is they did not shy away from the fact of, hey, this is a cyber incident. They threw it up on their website. As soon as you went to their page, that's what you saw.
And then there was a link to a little more of a story about Ingram Micro, what they're doing and all of that. Vendor transparency, something that I know MSPs have complained about in other situations. This complete opposite turned on its head.
What do you think about how they've handled it so far? So far, I'm impressed with what they've done. They didn't acknowledge that it was a ransomware incident at first, but I don't know if they really knew. But they have come out.
They've acknowledged that, yes, they were hit with ransomware. They've been quick about acknowledging it. They're making updates.
They're doing as much as I believe they should be doing to be an honest, honorable, and ethical vendor to try to give people as much information. I mean, look, if there is a group of threat actors out there and they're working with whatever law enforcement that they're working with, I'm sure there's information that they're holding back at the moment because maybe there's a retaliation. Maybe they're trying to go after them.
Maybe they're trying to figure out how they figure out who these people are so that they could take away this opportunity for it to do it again to someone else. So if they slow down on giving us some information and not giving us the full root cause analysis and we don't find out till later, I'm OK with that because I think they've done it right up till now. All right.
Very nice. Well, Michael, thank you very much. And this was a quick turnaround and you made some time for me and I appreciate that as always.
Any closing thoughts that you think people should take away from this? Be diligent. Don't point the finger too fast. Marv, I don't know about you, but as a kid, you know, I'm out there in the backyard and I'm yelling at my friends and mad because somebody dropped the touchdown pass and I'm pointing my finger.
And, you know, my dad comes out and says, you know, when you're pointing one finger at somebody, how many are you pointing back at yourself? I think we all have room to grow. We all have room to improve. And right now, this is a time where we come together as a community and not let these cyber criminals rip us apart and then start making bad emotional decisions.
You know, go look at all of your customers. Have you patched everything? Have you 100 percent forced MFA? Do you know that you could really defend all of your actions if they were the ones that this was happening to and somehow you became the focus of everyone's attention and the whole world wanted to talk about you? And if you can't, well, maybe it's time we just be quiet and wait. Yeah.
One of the things that I hope to do is to follow up on this and find out what the actual incident was, how it happened, and use this as a way to teach some of my customers that are pushing back and saying, look, if only this had happened or this have happened or if they did do everything right, just admit it and say that. But I'd love to be able to go to my clients and say, look, we have got to put these protections in place. And it's not just the big boys being attacked.
It's anyone on the on the Internet. Absolutely. I think it's a great way of using it as education, not fear.
Yeah. All right. Michael Crean with SonicWall.
Thank you once again. And for everybody listening, thank you very much for tuning in. And hopefully we'll have more information later.
But tune in to the IT Business Podcast. Go to our website. Follow us on our socials and be notified whenever we have either regular podcasts or breaking news such as this.
We'll see you soon. And until then, holla!