Skip to main content
close search
site logo

Oracle investigating extortion emails targeting E-Business Suite customers

Hackers claiming links to Clop ransomware could be exploiting vulnerabilities disclosed in a July critical patch update.

Published Oct. 3, 2025
David Jones's headshot
Reporter
Oracle's Silicon Valley corporate headquarters in Redwood City, California picture on Oct. 26, 2019.
Oracle's Silicon Valley corporate headquarters in Redwood City, Calif., on Oct. 26, 2019. The company is investigating a series of extortion emails sent to E-Business Suite customers beginning in September 2025. Getty Images

Oracle on Thursday said the company is investigating a wave of extortion emails targeting customers of its E-Business Suite. Oracle confirmed the attacks might be related to software vulnerabilities disclosed in July.

As previously reported, hackers claiming to be linked to the Clop ransomware gang have been sending hundreds of emails to corporate executives that use the Oracle product, claiming to have stolen data. 

Oracle’s chief security officer, Rob Duhart, said the attacks are potentially related to critical vulnerabilities disclosed by the company in July, according to a blog post from the company on Thursday. 

Duhart strongly encouraged Oracle customers to review the July update and patch their systems to make sure they are are protected. 

Researchers from Google Threat Intelligence Group on Thursday warned that hackers claiming a Clop affiliation have been sending emails to corporate executives threatening extortion, but did not provide immediate proof that any data had been stolen. 

Google and its Mandiant incident response unit track the group under the name FIN11, a group that has strong historic ties to Clop. 

The extortion letters provided contact emails where the executives could reply to the demands. Those email addresses tracked with ones previously used by Clop. The threat group is widely known for its role in the 2023 exploitation of vulnerabilities in MOVEit file transfer software. More recently Clop was linked to exploitation of vulnerabilities in Cleo file transfer software, leading to dozens of attacks against retailers and other logistics companies. 

Researchers at Kroll told Cybersecurity Dive the hackers have been sending spear-phishing emails to Oracle customers claiming to have access to sensitive ERP data. Kroll tracks Clop under the name KTA080. 

“Kroll has seen ransom-demand emails which do match contact emails used in previous KTA080 (Cl0p) ransom demands,” said Max Henderson, global head of digital forensics and incident response at Kroll. 

Researchers from Mandiant and Kroll said organizations should take the demands seriously and check their systems for possible data theft and compromise. 

Filed Under: Cyberattacks, Threats

Editors' picks

Company Announcements

View all | Post a press release
CyberFOX and MSP Process Announce Strategic Partnership to Deliver End-User and Technician Ver…
From CyberFOX
September 24, 2025
CyberFOX logo
BeyondTrust Delivers Identity Security Controls for AI, Turning Agent Visibility into Action
From BeyondTrust
September 16, 2025
BeyondTrust logo
Genians USA Elevates Computer Integration Technologies, Inc. (CIT) to Gold Partner Status
From Genians
September 19, 2025
Genians logo
Newsblaze Rankings: 11 Cybersecurity Founders You Should Pay Attention To
From Newsblaze, Tech Staff
September 15, 2025
Editors' picks
Latest in Cyberattacks
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.