A recent incident involving Oracle’s E-Business Suite has led to extortion attempts against executives at multiple large organizations that use the software. While the exact date of the initial breach is unclear, ransom demands began arriving on Sept. 29, 2025.

The attackers, linked to the gang Cl0p (also known as Clop), have already claimed responsibility for the attack. In one reported case, the attackers demanded as much as $50 million, according to cybersecurity firm Halcyon, which is helping to investigate the campaign.

Understanding how it happened

Halcyon reports that Cl0p is attempting to pressure victims by proving its access to corporate systems.

“We have seen Cl0p demand huge seven- and eight-figure ransoms in the last few days. This group is notorious for stealthy, mass data theft that heightens their leverage in ransom negotiations.” said Cynthia Kaiser, vice president with Halcyon’s ransomware research center, in a recent Bloomberg article.

Investigators believe the hackers abused compromised user email accounts and exploited the password reset process to gain valid credentials for Oracle’s E-Business Suite portals. Once inside, they launched extortion attempts by sending mass emails, sometimes including screenshots and file trees to demonstrate access to stolen data.

Analyzing the group’s activities

Cl0p’s approach in this case departs slightly from its usual exploitation of zero-day vulnerabilities; instead, it leaned on compromised credentials and large-scale phishing. The extortion messages contained clumsy English and grammatical mistakes, a hallmark that security analysts have linked to the group’s past campaigns. Some of the emails were tracked back to accounts previously associated with Cl0p, reinforcing suspicions of its involvement.

Since most Cl0p members speak fluent Russian, most security researchers have pinpointed their location to that particular region.

Cl0p has been active for several years and is known for large-scale ransomware and data theft operations; its victims have included the British Broadcasting Corp. (BBC), Shell, and British Airways. In 2023, the group exploited flaws in MOVEit Transfer, a file transfer tool, compromising data at hundreds of organizations worldwide.

Government response and advisory

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a cybersecurity advisory in 2023 warning about Cl0p’s tactics, techniques, and procedures, describing it as one of the most widespread distributors of phishing and malicious spam.

CISA recommends a series of defensive measures to reduce exposure to groups like Cl0p:

• Taking inventory of assets and data.
• Distinguishing between authorized and unauthorized traffic.
• Monitoring network ports.
• Installing software updates as they are released.
• Granting system admin privileges to individual users only when necessary.

Proactive monitoring, layered defenses, and fast patching remain the best ways to counter ransomware gangs that combine phishing with data theft.

The US is pressing TikTok to transition its U.S. user data operations to Oracle amid mounting national security concerns. See how the plan could reshape the future of the app in America.