Cybersecurity researchers at Google Mandiant and Google’s Threat Intelligence Group (GTIG) are tracking a suspected Cl0p ransomware affiliate that has launched a mass extortion campaign targeting Oracle’s E-Business Suite customers. The attackers claim to have stolen sensitive corporate data and demanded ransoms reaching $50 million, according to incident response firm Halcyon, which is working with affected organizations.
Oracle’s E-Business Suite is widely used by enterprises to manage core functions such as finance, supply chain, and customer relationship management, making the claims of compromise particularly serious. While investigators have not yet confirmed the full scope of the breach, at least one company has verified that data from its Oracle systems was exfiltrated.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
Modus Operandi: Email Hacks and Credential Abuse
Preliminary analysis suggests that attackers exploited a combination of compromised user emails and Oracle E-Business Suite’s default password reset process to gain access to valid accounts. Proofs provided to victims include file trees and screenshots, a common Cl0p tactic to increase ransom pressure.
“This group is notorious for stealthy, mass data theft that heightens their leverage in ransom negotiations,” said Cynthia Kaiser, Vice President at Halcyon’s Ransomware Research Center. “We’ve seen Cl0p demand seven- and eight-figure ransoms in just the last few days.”
FIN11 Links and the Cl0p Connection
According to Mandiant’s CTO Charles Carmakal, the extortion campaign involves “hundreds of compromised accounts” in a coordinated push. At least one account has been tied to FIN11, a financially motivated threat group long associated with Cl0p ransomware deployment.
Cl0p has previously exploited major vulnerabilities in software ecosystems such as Accellion, SolarWinds, Fortra GoAnywhere, and MOVEit, affecting thousands of organizations worldwide. Mandiant researchers note that metadata and prior campaigns suggest the group operates primarily from the Commonwealth of Independent States (CIS), deliberately avoiding deployments within the region.
Early Stage, But Risks Are High
Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at GTIG, emphasized caution.
“This activity began on or before September 29, but we are still in the early stages of multiple investigations. While some indicators tie this campaign to Cl0p affiliates, we lack definitive proof that the attackers’ claims are fully accurate.”
Nonetheless, Mandiant has urged organizations running Oracle E-Business Suite to scan for indicators of compromise (IOCs) linked to Cl0p and FIN11.
A Familiar and Evolving Threat
Since 2020, FIN11 has expanded from spear-phishing campaigns — which distributed malware such as the FRIENDSPEAK downloader — to high-profile ransomware and extortion operations. With the current Oracle-related campaign, analysts say the group is leveraging Cl0p’s brand recognition to amplify the psychological pressure on victims.
Cybersecurity experts warn that if the claims are substantiated, this campaign could be one of the largest Oracle-related extortion attempts to date, potentially impacting organizations in sectors ranging from finance and energy to healthcare and defense.
The Road Ahead
While investigations continue, the case illustrates the escalating sophistication of ransomware groups that blend technical exploits with aggressive extortion tactics. For enterprises running Oracle E-Business Suite, the episode is a stark reminder of the importance of patching, credential management, and zero-trust security models.
As Carmakal of Mandiant put it: “This is a high-volume, global campaign. Organizations need to take immediate steps to detect compromise, patch vulnerabilities, and prepare response playbooks before these extortion threats escalate further.”
