Close Menu
Cyber Updates

New Oracle Extortion Wave Tied to Cl0p Ransomware

Staff WriterBy Updated:No Comments2 Mins Read1 Views

Essential Insights

  1. Emerging Threat: Google Mandiant and GTIG are tracking a new extortion campaign linked to the financially motivated threat actor Cl0p, targeting organizations’ executives and claiming data theft from Oracle E-Business Suite.

  2. High-Volume Campaign: The campaign consists of mass emails sent from hundreds of compromised accounts, with ties to FIN11, known for previous ransomware and extortion activities.

  3. Potential Vulnerabilities: Initial access to systems may involve compromised user emails and exploiting password reset functions on Oracle E-Business Suite portals.

  4. Call to Action: Google urges organizations to investigate their systems for evidence of this threat, despite currently lacking direct evidence of Cl0p’s involvement.

New Extortion Campaign Targets Oracle Users

Google Mandiant and the Google Threat Intelligence Group (GTIG) have initiated investigations into a new wave of extortion linked to the Cl0p ransomware group. This malicious activity appears to target executives at several organizations, with claims of having stolen sensitive data from Oracle E-Business Suite. As of late September 2025, Mandiant’s experts continue to examine the situation, noting they have not yet verified the threats being made.

Experts describe the operations as a “high-volume email campaign” involving hundreds of compromised accounts. Notably, one compromised account seems connected to FIN11, a subset of the TA505 group involved in extortion and ransomware attacks dating back to 2020. This significant correlation raises concerns about the potential for wide-scale cyber threats, prompting organizations to scrutinize their security practices.

Connections and Warnings for Organizations

Mandiant’s Chief Technology Officer highlighted that the malicious emails include contact details linking back to the Cl0p data leak site. This connection suggests the attackers may be banking on Cl0p’s existing notoriety to enhance their credibility. However, Google has not substantiated these links, urging companies to explore their systems for any signs of compromise.

The methodology behind the attackers’ initial access remains unclear. Reports suggest they may be abusing the default password reset function on Oracle E-Business Suite portals after compromising user emails. This tactic adds a layer of complexity to the threat landscape, making it imperative for organizations to bolster their defenses. As cyber threats continue to evolve, the need for vigilance in cybersecurity practices has never been more urgent.

Expand Your Tech Knowledge

Explore the future of technology with our detailed insights on Artificial Intelligence.

Access comprehensive resources on technology by visiting Wikipedia.

DataProtection-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.