Ethical Hacking News
The Clop ransomware gang has launched an email-based extortion campaign claiming theft of sensitive Oracle E-Business Suite data. This operation began on or before September 29, 2025, and involves sending high-volume emails to executives at multiple organizations. To stay ahead of this threat, organizations should conduct thorough investigations into their environments for any unusual access or compromise in their Oracle E-Business Suite platforms.
Mandiant and Google have uncovered an email-based extortion campaign by the Clop ransomware gang targeting companies with Oracle E-Business Suite systems. The emails claim that sensitive data was stolen from these systems, but Mandiant is still investigating to confirm if actual data has been compromised. The Clop ransomware gang has been linked to several high-profile data breaches and zero-day exploits in the past, including attacks on GoAnywhere vulnerabilities. Organizations receiving these emails are advised to conduct thorough investigations into their environments for any unusual access or compromise. A $10 million reward is being offered by the US State Department's Rewards for Justice program for information linking Clop's ransomware activities to a foreign government.
Lawrence Abrams is a renowned security expert and the owner of BleepingComputer.com, a popular online resource for individuals seeking information on cybersecurity issues. Recently, Mr. Abrams uncovered an intricate extortion scheme perpetrated by the Clop ransomware gang, which targeted multiple companies using Oracle E-Business Suite systems.
According to sources from Mandiant, a leading cybersecurity firm that specializes in threat intelligence, and Google, it appears that the Clop ransomware gang has launched an email-based extortion campaign. This operation began on or before September 29, 2025, and involves sending high-volume emails to executives at multiple organizations claiming that sensitive data was stolen from their Oracle E-Business Suite systems.
A recent analysis by Mandiant revealed that these emails were sent from hundreds of compromised email accounts associated with the FIN11 group, a notorious financially motivated threat actor known for deploying ransomware and engaging in extortion activities. The Clop ransomware gang has previously been linked to several high-profile data breaches, including attacks on GoAnywhere zero-day vulnerabilities, which resulted in significant financial losses for affected organizations.
While Mandiant experts confirm that they are still in the early stages of investigating these claims, the emails contain contact addresses known to be listed on the Clop ransomware gang's infamous data leak site. This suggests a possible link between the extortion campaign and the Clop gang, but further evidence is required to determine if actual data has been stolen.
In light of this information, Mandiant and Google advise organizations receiving these emails to conduct thorough investigations into their environments for any unusual access or compromise in their Oracle E-Business Suite platforms. This will involve monitoring system logs, checking for unauthorized changes, and verifying the authenticity of email communications.
BleepingComputer.com has reached out to the Clop ransomware gang, but as yet, no response has been received. Additionally, an inquiry has been made to Oracle regarding any recent zero-day exploits that may have led to the theft of sensitive data from their systems. The U.S. State Department's Rewards for Justice program is also offering a $10 million reward for information linking Clop's ransomware activities to a foreign government.
Furthermore, it is worth noting that the Clop ransomware gang has been linked to several other notable attacks, including:
* In 2020, they exploited a zero-day in the Accellion FTA platform, affecting nearly 100 organizations.
* In 2021, they breached SolarWinds Serv-U FTP software.
* In 2023, they exploited a zero-day in the GoAnywhere MFT platform, breaching over 100 companies.
* The most recent campaign associated with Clop was in October 2024, when the threat actors exploited two Cleo file transfer zero-days (CVE-2024-50623 and CVE-2024-55956) to steal data and extort companies.
In conclusion, the recent extortion emails sent by the Clop ransomware gang claiming theft of sensitive Oracle E-Business Suite data serve as a stark reminder of the ongoing threat posed by these cybercriminals. As organizations continue to navigate the complex landscape of cybersecurity threats, it is essential that they remain vigilant and take proactive steps to protect their systems from such malicious activities.
Related Information:
https://www.ethicalhackingnews.com/articles/Clop-Ransomware-Gang-Sent-Extortion-Emails-Claiming-Theft-of-Sensitive-Oracle-E-Business-Suite-Data-ehn.shtml
Published: Wed Oct 1 23:12:57 2025 by llama3.2 3B Q4_K_M
