Google revealed that hackers, claiming affiliation with the Cl0p ransomware group, have dispatched extortion emails to corporate executives across multiple organizations, alleging data theft from their Oracle E-Business Suite instances. Reuters reports that Google described the campaign as “high volume” but conceded it lacks definitive proof that sensitive data was actually stolen. At the same time, Oracle has confirmed that some of its EBS customers have received similar threats, suggesting the attackers may be exploiting previously known and a newly patched zero-day vulnerability (CVE-2025-61882) in Oracle’s systems. Analysts say the emails include contact information tied to Cl0p’s data leak site, demands ranging into the millions (with some as high as $50 million), and elements consistent with the gang’s modus operandi—including poor grammar and proof-of compromise sampling. Security experts emphasize that companies should urgently patch vulnerable systems, scan for signs of compromise, and treat any executive threats seriously.
Sources: Cyber Security Dive, Reuters
Key Takeaways
– Attackers claiming Cl0p affiliation are sending large volumes of extortion emails to top executives, alleging theft of sensitive corporate data.
– Oracle confirms that customers of its E-Business Suite have been targeted, and a zero-day vulnerability (CVE-2025-61882) in Oracle systems is implicated in the campaign.
– The extortion messages often include contact info historically linked to Cl0p’s leak site, proof-of-compromise samples, and ransom demands in the multi-million dollar range.
In-Depth
This unfolding ordeal marks a bold escalation in the tactics employed by ransomware-linked extortion groups, bringing the spotlight onto corporate leadership as direct targets. Starting around September 29, hackers began sending threatening emails to executives across multiple sectors, claiming they had exfiltrated sensitive files from the recipients’ Oracle E-Business Suite environments. Google’s Threat Intelligence and its Mandiant unit first flagged the campaign, cautioning that while the volume of the emails is high, the evidence backing the claims of stolen data remains inconclusive.
However, the campaign’s sophistication is underscored by the fact that the emails often include contact addresses previously used in Cl0p’s data leak operations. That linkage bolsters credibility—and fear—even as attribution remains technically tentative. In parallel, Oracle has confirmed awareness of the extortion emails targeting EBS customers and is actively investigating, warning that attackers may have exploited both known vulnerabilities (which were patched in Oracle’s July 2025 update) and a newly discovered zero-day flaw, CVE-2025-61882, which allows remote execution without authentication. That bug has been patched by Oracle over the past weekend, but security firms warn that many organizations may already be compromised.
The extortion letters follow a familiar template: sloppily written English, proof-of-compromise samples or screenshots, and ultimatums to pay or face public release of sensitive data. Some ransom demands reportedly reach as high as $50 million. While Google says it does not have sufficient evidence to confirm the underlying claims, the tie to Cl0p’s infrastructure and method-style places this campaign solidly within the known playbook of that group, which has historically used both encryption and “data leak only” extortion strategies.
From a threat management perspective, organizations running Oracle EBS must urgently validate they have applied all critical patches (including against CVE-2025-61882), perform forensic scans for indicators of past compromise, harden access controls (e.g. enforce multifactor authentication), and treat any executive-level extortion message as a potentially serious breach precursor. The warning also signals that ransomware affiliates may be refining their approach—shifting from bulk attacks against infrastructure to psychological pressure applied directly to leadership, raising the stakes in how organizations protect not just their systems, but their C-suite.