In recent days, a surge of extortion emails has been sent to senior corporate executives, claiming that hackers affiliated with the Cl0p ransomware gang have exfiltrated sensitive data from Oracle’s E-Business Suite. Google’s Threat Intelligence Group (GTIG) says the campaign began around September 29, using hundreds of compromised accounts to target leaders at “numerous” organizations — though Google admits it has not yet verified the hackers’ claims. According to Bloomberg, in one instance the attackers demanded as much as $50 million. Oracle has since confirmed that some customers have received these threatening messages and is investigating the issue, noting that the attacks may exploit known vulnerabilities addressed in its July 2025 critical patch update. Security analysts suggest the attackers may be abusing default password-reset or local account features on Oracle systems exposed to the internet, particularly those lacking multifactor authentication.
Key Takeaways
– The extortion emails target corporate executives and claim stolen data from Oracle’s E-Business Suite, but no independent confirmation of the breach has been made.
– Ransom demands reportedly go as high as $50 million, leveraging contact addresses tied to Cl0p’s known operations to amplify credibility.
– Analysts point to known vulnerabilities patched in July 2025 and weak account security (e.g. lack of MFA, default password resets) as likely vectors for exploitation.
In-Depth
It’s a scenario every enterprise fears: find yourself on the receiving end of an email from a group claiming to have pilfered your most sensitive data, and demanding a six- or seven-figure ransom to keep it offline. That’s exactly what’s happening now with Oracle’s E-Business Suite users. Around September 29, hackers began sending extortion emails to executives at multiple organizations, alleging that they’d stolen data from Oracle systems. Google’s Threat Intelligence Group describes the campaign as “high volume,” but cautions that they have yet to confirm whether the claims are valid.
The attackers are leaning on the reputation of Cl0p, a well-known ransomware entity. In a twist of strategy, the extortion messages include contact addresses previously used on Cl0p’s data leak site, presumably to lend legitimacy to their claims. In at least one case, a ransom demand of $50 million was reported by Bloomberg, drawing attention to both the boldness and potential scale of the campaign.
Oracle has acknowledged that some of its E-Business Suite customers have received these threatening emails, and announced an internal investigation. The company says the attackers appear to be leveraging vulnerabilities already addressed in its July 2025 Critical Patch Update. In its blog post, Oracle’s security leadership emphasized the importance of applying the latest patches and safeguarding exposed ports. The underlying message: the exploitation doesn’t appear to stem from a fresh “0-day” hole.
Security analysts offer a more granular view into how the attackers might be operating. Some point to default password-reset functions as a vector, especially when combined with compromised email accounts. For organizations using local Oracle accounts rather than enterprise SSO (single sign-on), the absence of multifactor authentication (MFA) can create weak points. In such configurations, attackers might trigger a password reset, gain login access, and then pose as legitimate users of the EBS (E-Business Suite) system. The fact that Oracle’s patch backlog from July included fixes for several EBS vulnerabilities, including ones allowing remote access, lends credence to the idea that attackers are not necessarily innovating new exploits, but rather leveraging gaps that weren’t fully locked down.
Another layer to watch: attribution. The hacker group FIN11 has historic links to financial extortion operations, and some of its compromised accounts appear intertwined with this campaign — further complicating the picture. Whether the threat actors behind these extortion attempts truly are Cl0p, or simply mimicking Cl0p to intimidate victims, remains a point of debate among specialists.
For companies running Oracle E-Business Suite, this episode is a sharp reminder of the importance of preventive hygiene: patch management, MFA enforcement, credential monitoring, and proactive threat hunting. Even when a breach isn’t confirmed, the mere appearance of unauthorized access via extortion emails can rattle stakeholders, customers, and brand credibility. As the investigation unfolds, affected organizations must tread cautiously: prepare as though the breach is real, respond transparently to leadership, and maintain open lines with cybersecurity and legal counsel.