Google Mandiant and the Google Threat Intelligence Group are tracking a suspected extortion campaign by the Cl0p ransomware group targeting executives with claims of stealing Oracle E-Business Suite data.
The hackers have demanded ransoms reaching up to $50 million, with cybersecurity firm Halcyon reporting multiple seven and eight-figure ransom demands in recent days. The group claims to have breached Oracle's E-Business Suite, which manages core operations including financial, supply chain, and customer relationship management functions.
Modus operandi
The attackers reportedly hacked user emails and exploited Oracle E-Business Suite's default password reset functionality to steal valid credentials. This technique bypassed single sign-on protections due to the lack of multi-factor authentication on local Oracle accounts. At least one company has confirmed that data from their Oracle systems was stolen, according to sources familiar with the matter. The hackers provided proof of compromise to victims, including screenshots and file trees.
This activity began on or before September 29, 2025, though Mandiant experts remain in early investigation stages and have not yet substantiated all claims made by the group. Charles Carmakal, Mandiant's CTO, described the operation as a high-volume email campaign launched from hundreds of compromised accounts. Initial analysis confirms at least one compromised account previously associated with FIN11, a long-running financially motivated threat group known for deploying ransomware and engaging in extortion.
Threat actor background
Since August 2020, FIN11 has targeted organizations across multiple industries including defense, energy, finance, healthcare, legal, pharmaceutical, telecommunications, technology, and transportation. The group is believed to operate from Commonwealth of Independent States countries, with Russian-language file metadata found in their malware code. In 2020, Mandiant observed FIN11 hackers using spear-phishing messages to distribute a malware downloader called FRIENDSPEAK.
An email address in the extortion notes ties to a Cl0p affiliate and includes Cl0p site contacts, though Google lacks definitive proof to confirm the attackers' claims. The malicious emails contain contact information verified as publicly listed on the Cl0p data leak site, strongly suggesting association with Cl0p and leveraging their brand recognition. Cl0p has launched major attacks in recent years exploiting zero-day flaws in popular software including Accellion, SolarWinds, Fortra GoAnywhere, and MOVEit.
Security recommendations
Oracle confirmed the investigation on October 3, 2025, stating that attacks potentially relate to critical vulnerabilities disclosed in their July 2025 Critical Patch Update. The company strongly encouraged customers to review the July update and patch their systems for protection. Mandiant researchers recommend investigating environments for indicators of compromise associated with Cl0p operations.
