A new wave of extortion emails is hitting executives, claiming stolen data from Oracle E-Business Suite systems.
According to BleepingComputer, Executives at multiple organizations have begun receiving extortion emails from actors claiming to be part of the Clop ransomware group. The emails allege that data was stolen from the companies’ Oracle E-Business Suite systems and will be sold or leaked unless a ransom is paid. The campaign, which began in late September 2025, is being tracked by Mandiant and Google’s Threat Intelligence Group (GTIG).
The emails are being sent from hundreds of compromised email accounts. Mandiant has confirmed that at least one of those accounts has previous links to FIN11, a financially motivated group associated with ransomware and extortion campaigns.
In the messages, the attackers claim they’ve exploited an Oracle vulnerability to extract confidential business documents. They threaten to leak or sell the data if the targeted companies do not pay. While the emails use language and email addresses consistent with known Clop tactics, Mandiant and GTIG say there is currently no confirmed evidence that data was actually stolen in these attacks.
After the story was published, Clop told BleepingComputer they were behind the emails and that the attacks exploited a bug in Oracle’s product. However, the group did not provide further proof. Oracle later confirmed that the extortion claims may involve vulnerabilities patched in its July 2025 Critical Patch Update.
Security experts recommend that any organization using Oracle E-Business Suite immediately check for signs of compromise and ensure all recent patches are applied.
Genevieve Stark of GTIG confirmed that investigations are ongoing, stating, “Mandiant’s experts are still in the early stages... and have not yet substantiated the claims.” Mandiant CTO Charles Carmakal added that the scale of the campaign is notable and involves compromised accounts previously linked to FIN11.
In its public response, Oracle reaffirmed applying the July 2025 patches, suggesting threat actors may exploit previously disclosed vulnerabilities. A post by Oracle’s CSO Rob Duhart confirmed the company is continuing to investigate.
Clop’s message to BleepingComputer framed the campaign as a form of “protection,” implying the ransom is a fee for securing affected companies’ data. However, they declined to disclose technical details.
Oracle E-Business Suite is a widely used enterprise resource planning (ERP) system that manages financials, supply chain, HR, and customer data, making it a valuable target for attackers seeking sensitive corporate information.
Organizations should avoid engaging directly with the attackers, notify internal security teams, investigate for signs of unauthorized access, and report the incident to appropriate authorities or security vendors.
Staying current with vendor-issued security patches, especially Oracle’s Critical Patch Updates, and monitoring for suspicious account activity are steps in reducing risk from extortion campaigns.
These names refer to overlapping or related threat actor groups. Clop is often linked to FIN11 and TA505, all known for large-scale ransomware and data extortion campaigns targeting enterprise systems.