Ethical Hacking News
A new Cl0p ransomware extortion campaign has been detected targeting Oracle E-Business users, with attackers claiming theft of critical data. The suspected group is linked to FIN11, a financially motivated threat group known for deploying ransomware and engaging in extortion. Google researchers are tracking the activity, urging companies to investigate their environment for indicators of compromise associated with Cl0p operation.
Pierluigi Paganini has been tracking a suspected Cl0p ransomware group's activity since September 29, 2025. The attackers claimed to have breached Oracle's E-Business Suite and demanded up to $50 million in ransom. The attackers exploited a vulnerability in Oracle's default password reset feature to gain valid credentials. Google Mandiant and Google Threat Intelligence Group (GTIG) researchers are tracking the group's activity, which includes stealthy mass data theft and ransom demands. The suspected Cl0p ransomware group is believed to be affiliated with a criminal outfit called FIN11. The attack is part of a larger pattern of behavior by the group, targeting organizations in multiple industries.
Pierluigi Paganini, a renowned cybersecurity expert and founder of Security Affairs, has been tracking a suspected Cl0p ransomware group's activity that has been sending extortion emails to executives claiming theft of Oracle E-Business Suite data. The attack is believed to have begun on or before September 29, 2025, with the attackers using hundreds of hacked accounts in a mass extortion campaign.
According to reports from cybersecurity firms Halcyon and Mandiant, the group of hackers claimed to have breached Oracle's E-Business Suite, which runs core operations including financial, supply chain, and customer relationship management. In one case, they demanded a ransom of up to $50 million. The attackers allegedly exploited a vulnerability in Oracle's E-Business Suite, specifically the default password reset feature.
Google Mandiant and Google Threat Intelligence Group (GTIG) researchers are tracking this suspected Cl0p ransomware group's activity, which is marked by stealthy, mass data theft. This approach heightens their leverage in ransom negotiations, according to Halcyon's ransomware research center vice president Cynthia Kaiser. The group claims to be affiliated with a criminal outfit called Cl0p and has provided proof of compromise to victims, including screenshots and file trees.
Mandiant researcher Charles Carmakal stated that attackers use hundreds of hacked accounts in the mass extortion campaign. At least one account links to the financially motivated hacker group FIN11, which is known for deploying ransomware and engaging in extortion. The researchers believe FIN11 operates from the Commonwealth of Independent States (CIS – former Soviet Union countries).
The Cl0p ransomware group has launched major attacks in recent years, exploiting zero-day flaws in popular software such as Accellion, SolarWinds, Fortra GoAnywhere, and MOVEit. This attack is part of a larger pattern of behavior by the group, which has been targeting organizations in many industries.
In August 2020, Mandiant experts observed Russian-language file metadata in the code of the malware and reported that the Clop ransomware was only deployed on machines with a keyboard layout used outside CIS countries. At the time, researchers from FireEye's Mandiant observed FIN11 hackers using spear-phishing messages to distribute a malware downloader dubbed FRIENDSPEAK.
The malicious emails contain contact information, and the researchers have verified that the two specific contact addresses provided are also publicly listed on the Cl0p data leak site (DLS). This move strongly suggests there's some association with Cl0p, and they are leveraging the brand recognition for their current operation.
According to Halcyon, citing people familiar with the matter, they believed threat actors exploited a vulnerability in Oracle's E-Business Suite. Mandiant researchers recommend investigating their environment for indicators of compromise associated with Cl0p operation.
The attack has been confirmed by at least one company that data from their Oracle systems has been stolen. The attackers likely hacked user emails and exploited Oracle E-Business Suite's default password reset to steal valid credentials.
Google lacks proof to confirm the attackers' claims, but Mandiant and GTIG are still in the early stages of multiple investigations. The researchers believe there may be an association between FIN11 and Cl0p, as they both engage in ransomware-related activities.
In conclusion, this extortion campaign by the suspected Cl0p ransomware group highlights the ongoing threat posed by sophisticated attackers who exploit vulnerabilities in popular software to steal sensitive data and demand ransom from their victims.
Related Information:
https://www.ethicalhackingnews.com/articles/Cl0p-Ransomware-Extortion-Campaign-Targets-Oracle-E-Business-Users-ehn.shtml
https://securityaffairs.com/182893/cyber-crime/google-warns-of-cl0p-extortion-campaign-against-oracle-e-business-users.html
https://www.bleepingcomputer.com/news/security/clop-extortion-emails-claim-theft-of-oracle-e-business-suite-data/
Published: Fri Oct 3 02:04:16 2025 by llama3.2 3B Q4_K_M
