Clop Ransomware Group Claims Oracle Data Theft in New Extortion Emails

A sophisticated new extortion campaign has emerged, targeting corporate executives with alarming emails alleging massive data theft from their Oracle E-Business Suite systems. Security firms Mandiant and Google are actively tracking this campaign, which began circulating in late September according to Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at GTIG. While investigations remain in preliminary stages, the scale and methodology have raised significant concerns across the cybersecurity community.

Charles Carmakal, CTO of Mandiant – Google Cloud, revealed that attackers are leveraging hundreds of compromised email accounts to distribute these extortion messages. Initial analysis indicates at least one account has historical connections to FIN11, a financially motivated threat group with a long track record of ransomware deployment and extortion schemes. This connection suggests possible involvement from established cybercriminal networks rather than new actors.

The threatening emails, purportedly from the Clop ransomware team, contain bold claims about breaching Oracle E-Business Suite applications and exfiltrating substantial amounts of confidential documents. The messages explicitly demand payment to prevent public exposure of stolen data, threatening to sell information to “black actors” and publish materials on torrent trackers if companies refuse to negotiate. Security researchers have confirmed that the contact addresses in these emails match those used on Clop’s known data leak site, strengthening the potential connection to this notorious cybercrime group.

Despite these concerning indicators, Carmakal emphasizes that investigators haven’t yet verified whether actual data theft has occurred. The tactics mirror Clop’s previous extortion campaigns, but definitive evidence linking the claims to real breaches remains elusive. Security professionals recommend that organizations receiving these communications immediately investigate their Oracle E-Business Suite environments for unusual access patterns or potential compromises.

Following initial reports, Clop representatives contacted media outlets to claim responsibility while hinting at exploited vulnerabilities in Oracle’s core products. The group asserted they “do not damage systems” and framed their demands as payment for “services” protecting major corporations. Meanwhile, Oracle’s Chief Security Officer Rob Duhart published a statement suggesting attackers likely exploited vulnerabilities addressed in the July 2025 Critical Patch Updates, reinforcing the company’s recommendation for customers to implement the latest security patches promptly.

The Clop ransomware operation first appeared in March 2019 and has evolved significantly since its initial campaigns. Also tracked as TA505 and FIN11, the group originally targeted enterprise networks with CryptoMix ransomware variants before shifting toward zero-day exploitation in secure file transfer platforms beginning in 2020. Their most recent notable campaign occurred in October 2024, when they leveraged two Cleo file transfer zero-days to steal corporate data. The U.S. State Department currently offers a $10 million reward through its Rewards for Justice program for information connecting Clop’s activities to foreign governments.

This developing situation highlights the ongoing challenges organizations face in protecting critical business systems against determined threat actors. As security teams work to validate the claims and identify the true scope of potential compromises, the incident serves as a stark reminder about the importance of timely patch management and comprehensive security monitoring.

(Source: Bleeping Computer)