Ingram Micro restarts orders – for some – following ransomware attack – Source: go.theregister.com

Ingram Micro says it is gradually reactivating customer’s ordering capabilities across the world, region by region, now its ransomware attack is thought to be “contained”.

The distie’s update on Tuesday confirmed that three days after pulling systems offline to handle its ransomware attack: “we believe the unauthorized access to our systems in connection with the incident is contained and the affected systems remediated.”

“We have implemented additional safeguards and monitoring measures to protect our network environment as we bring our systems back online,” it added.

While investigations into the scope of the attack remain ongoing, customers are waking up to the news that they can once again start placing orders for subscriptions and other products via phone and email.

Ingram said it was making strides with restoring its transactional business, although regional limitations were in place.

However, new territories are having their ordering capabilities restored each day.

Global availability of subscription orders, renewals, and modifications is now in place, and these are being managed by its support organization, Unified Support.

New orders can also be placed via phone and email in select countries: the UK, US, Germany, France, Italy, Spain, Austria, Canada, Singapore, the Nordics, Brazil, India, and China. 

Hardware and other technology orders remain limited, but these limitations will be communicated as customer orders are placed, it said in a revised statement yesterday.

The business turns over around $190 million each working day, so those “limitations” are of concern. Each day of downtime equates to a wad of money, some of it potentially lost to rivals. The distie reported revenues of $12.28 billion in its most recent quarter ended March 29.

Sources speaking to The Register said Ingram Micro has not been communicating with customers directly, and they only knew where to look for updates after we pointed them to the right page.

They said on Tuesday that support remains patchy, with telephone hold queues so lengthy that they had to abandon efforts to increase a client’s Dropbox license count for new starters.

Attempts to email customer support are met with automated responses that cite the ongoing disruption to systems and restoration struggles.

Both phone and email routes that are suggested to customers via Unified Support were attempted but were unsuccessful. The customer portal remains down.

Fears remain about data security with respect to customers and their clients, and Ingram Micro has yet to release any details about the potential impact on data caused by the attack.

“The lack of communication is poor,” one customer said. “I get they might not want to reveal all, but some communication and reassurance would be appreciated.”

The news follows a cyberattack which the company confirmed to involve ransomware over the weekend. Several customers contacted The Register last week to complain about a lengthy outage at the distie while left with no official comms to support them through the disruption.

Talk of foul play quickly grew feverish and customer fears were validated on Saturday, July 5, when the company attributed the issues to ransomware, after the SafePay group claimed responsibility for the attack.

The full extent of the intrusion is not yet known, although Ingram Micro’s ordering process was down for hours, and it still remained hobbled yesterday.

For a company with a turnover the size of Ingram’s, any disruption to key revenue streams such as orders and subscriptions could have a sizable impact on its bottom line.

According to financial results, the distrubtor’s net sales totaled $48.0 billion in fiscal 2024 ended December 28.

While Ingram’s recent sales were halted, some of those orders will have been held and some will continue to be placed with the distributor now and after the disruption subsides. 

However, it’s entirely possible that a chunk of these sales – however big or small – will be placed with competitors, further compounding the significant costs associated with cleaning up a ransomware mess.

According to security shop Huntress, the average cost of recovering from a ransomware attack is now in excess of $4.5 million. The figure invariably rises and falls depending on the size of the company and their industry.

The average ransom demand alone stands at $2.5 million. 

Ransomware affiliates claim to analyze a victim’s financials, where available, and make determinations based on that, although these analyses are frequently miscalculated or poorly estimated.

• Ingram Micro confirms ransomware behind multi-day outage
• 14-hour+ global blackout at Ingram Micro halts customer orders
• Ingram Micro to ‘stop doing business’ with Broadcom, downgrade to ‘limited engagement’ on VMware
• Former Facebook lobbyist joins UK comms regulator as non-exec director

According to the ransom note left behind by the SafePay affiliate responsible for the intrusion, the distie had seven days from the time of receipt to pay their extortion demands or risk having its data posted online.

The affiliate allegedly broke into Ingram’s network via its GlobalProtect VPN platform, but Palo Alto Networks told us that after looking into these claims has now determined this is “false”.

“We can confirm that none of our products were either the source of the vulnerability or impacted by the breach.” ®