In a troubling escalation of corporate cyber threats, Oracle has confirmed that customers of its E-Business Suite are receiving extortion emails from hackers claiming to have exfiltrated sensitive data.  The vendor’s disclosure follows earlier warnings from Google’s cybersecurity teams, which described the campaign as “high-volume” and emphasized the urgent risk to enterprises across sectors.

What We Know So Far

Extortion Emails with Proof-of-Compromise Claims

The threat actors, who claim affiliation with the ransomware group Cl0p, have sent emails to executives and IT decision-makers, asserting that they obtained data from Oracle’s systems.  To prove their claims, the attackers offer to share a small sample of stolen files or data rows upon request.  Their messages are laced with threats: victims are pressured by deadlines and warned that noncompliance will lead to public disclosure, sale of data, or wider exposure.  The tone is transactional: “We are not interested in destroying your business. We want to take the money and you not hear from us again.”

The language in the emails is often broken or imprecise, a hallmark seen in prior Cl0p campaigns.  Contact info included in the messages corresponds to addresses previously used on the Cl0p data leak platform, reinforcing suspicions of authenticity.

Vulnerabilities and Attack Vector

Oracle acknowledges that the hackers may have exploited previously known vulnerabilities that were addressed in its July 2025 Critical Patch Update.  Some vulnerabilities in the E-Business Suite were characterised as “remotely exploitable without authentication,” raising the stakes for untended systems. While Oracle has not confirmed which flaws are being actively exploited, internal investigations point to those addressed in the July update.

Oracle has urged all affected customers to apply the latest patches and upgrade to supported versions. The company also emphasised that its ongoing probe is in the early stages, and it has not yet determined the full scope of impact or the number of clients impacted.

Ransom Demands and Threat Actor Profile

Ransom requests in some cases have reportedly climbed into the tens of millions of dollars, with one notable demand reaching $50 million.  Security firm Halcyon described demands ranging from “millions to tens of millions” in ongoing negotiations.

Cl0p operates as a ransomware-as-a-service group, renting out its tools and access to affiliates in return for a cut of the returns.  The group has long been associated with Russian or Russian-speaking threat actors, although no definitive attribution has yet been confirmed.  Cl0p is known for its agile tactics, shifting strategies, and high-profile breaches.

Why This Matters

  • Critical systems at risk: Oracle’s E-Business Suite underpins financials, supply chain, customer management, and operations in many enterprises. A compromise here can ripple deep into business continuity.

  • Wider exposure: Attackers are reportedly using compromised third-party accounts (from unrelated organizations) to launch the extortion emails, aiming to avoid detection and bypass spam filters.

  • Regulatory and reputational damage: Even if data hasn’t been publicly leaked yet, the fear of exposure can fuel coercion—especially for firms bound by privacy laws or operating in highly regulated sectors.

Advice for Affected Organizations

  1. Apply patches immediately: Review Oracle’s July 2025 security updates and prioritize any unpatched E-Business Suite instances.

  2. Audit for indicators of compromise: Look for unusual access, privilege escalation, or unauthorized data exports.

  3. Harden email systems and MFA: Ensure that executive and administrative mailboxes have strict protections, including multi-factor authentication (MFA) and anomaly detection.

  4. Consult legal and forensics teams early: The moment extortion is claimed, lawyers and cyber incident response providers should be looped in.

  5. Track attribution and threat intelligence: Stay updated via security firms, CERTs, and threat intel communities for evolving tactics of Cl0p or related groups.

As the investigation progresses, the full extent of the damage and which customers—if any—paid the ransom remain unknown. For now, Oracle’s warning serves as a stark reminder: even mature enterprise systems are vulnerable to evolving extortion strategies.