Google has warned that executives and IT departments at major organisations are facing extortion attempts after hackers claimed to have stolen sensitive data from Oracle Corp.’s widely used E-Business Suite. The campaign, linked to the notorious Cl0p ransomware group, began in late September and includes ransom demands of up to $50 million, according to cybersecurity firms involved in the response.
Cl0p’s new campaign
Hackers say they have breached Oracle’s E-Business Suite, software that underpins critical corporate functions such as finance, supply chains and customer management. At least one affected company has confirmed its systems were compromised, while multiple victims have received proof of intrusion in the form of screenshots and file listings.
Halcyon, a cybersecurity firm responding to the incidents, reported that ransom demands have reached eight-figure sums. “We have seen Cl0p demand huge seven- and eight-figure ransoms in the last few days,” said Cynthia Kaiser, vice-president at Halcyon’s ransomware research centre.
How the attacks work
Google’s Threat Intelligence Group found that the extortion emails were first circulated on or before 29 September, sent through hundreds of hijacked third-party accounts. The attackers claimed to have exfiltrated corporate data and used email addresses previously linked to Cl0p affiliates.
According to Halcyon, the hackers obtained access by abusing Oracle’s default password-reset process on internet-facing portals, though some security experts believe an underlying software flaw may have been exploited instead.
Sloppy emails, high stakes
People familiar with the campaign described the ransom notes as riddled with spelling and grammar mistakes, a hallmark of the group’s previous operations. Victims were provided with contact details matching those on Cl0p’s dark web leak site, though it remains unclear whether any organisations have agreed to pay.
Oracle has so far declined to comment on the alleged breaches. The incidents add to a growing list of attacks attributed to Cl0p, which in 2023 exploited a flaw in MOVEit file-transfer software, stealing data from hundreds of firms including Shell, British Airways parent IAG and the BBC.
A persistent global threat
Cl0p has long been described as one of the world’s most prolific ransomware groups. The US Cybersecurity and Infrastructure Security Agency (CISA) warned last year that the gang had compromised thousands of organisations worldwide through phishing and mass email attacks.
(With inputs from Bloomberg)
