Clop Ransomware Sends Extortion Emails To Oracle Clients

In late September 2025, a wave of extortion emails began arriving at executives and IT leaders of organizations running Oracle's E-Business Suite (EBS). The messages claimed that attackers had stolen sensitive enterprise data and demanded payment to prevent public disclosure. The emails surfaced on or before September 29.

The contents of those emails follow a frightening template: the senders, identifying themselves as "CL0P team," assert they have breached the recipient's Oracle systems and exfiltrated documents. In one email obtained by CyberScoop, the attackers offer to share a few sample files (or rows) to prove authenticity, while warning that full disclosure will follow unless a ransom is paid.

The emails mix intimidation and negotiation; they state, "We always fulfil all promises and obligations ... we want to take the money, and you not hear from us again." They emphasize that the goal is financial with statements like, "we are not interested in destroying your business", and instruct victims to initiate contact via the given email addresses.

The attackers borrowed from Clop Ransomware's previously used branding. It is yet unknown if Clop threat actors are behind the attack or threat actors pretending to be Clop; however, some evidence suggests Clop is pivoting to an extortion-only model.

The outbound emails include contact addresses that correspond to those listed on Clop's public data leak site, and those addresses have appeared in prior Clop and other known FIN11 operations.

Researchers observed that the extortion campaign originated from hundreds of compromised third-party email accounts, rather than a single sender domain, likely to evade spam filters and attribution. While the emails claim data theft, investigators have so far found insufficient public proof of a massive breach. Neither leaked archives nor verifiable exfiltrated data have been independently confirmed.

Still, some ransom demands reportedly reach high sums. Security firms have observed demands in the seven- to eight-figure range, including one demand reportedly as high as 50 million USD. Given Clop's prior history of targeting enterprise file transfer platforms, such as MOVEit, Accellion, GoAnywhere, and Cleo, researchers are treating this campaign as a new extension of Clop's data-theft and extortion playbook.

Due to the high stakes and direct targeting of executives, the campaign has drawn immediate attention from threat intelligence units and cybersecurity firms seeking to validate, or even debunk, the attack claims.

Oracle quickly acknowledged that some of its EBS customers had received extortion emails. In a public blog post, Rob Duhart, Chief Security Officer at Oracle, stated that Oracle was investigating the situation and had found "potential use of previously identified vulnerabilities" that had been patched in the company's July 2025 critical patch update (CPU).

Oracle emphasized that customers should apply all relevant July 2025 security updates, particularly those that address vulnerabilities in EBS, and urged organizations to enhance security around their EBS instances.

Oracle did not attribute the attacks to Clop explicitly, citing that its investigation was ongoing and that it lacked confirmation of data theft. Oracle's investigation also examined which specific vulnerabilities might be implicated. In its July 2025 CPU, Oracle issued 309 patches, nine of which addressed defects in EBS.

Among those, three (CVE-2025-30746, CVE-2025-30745, CVE-2025-50107) were remotely exploitable without authentication. Oracle's statement pointed to the "potential use" of those known flaws, rather than zero-day vulnerabilities.

Clop's Pivot to Extortion-Only Tactics

This recent campaign suggests Clop (or a group posing as Clop) is shifting strategy. Rather than deploying ransomware to encrypt systems, the attackers rely solely on extortion, threatening to publish or sell stolen data. This model aligns with extortion as a service and data-leak blackmail, rather than intrusion plus encryption.

Indeed, the extortion emails explicitly state that the goal is financial, not destruction: "we do not seek political power or care about any business," the messages read. The tactic of revealing only limited proof (e.g., sample rows, screenshots, or a few files) is designed to pressure victims into believing the breach was real while minimizing exposure to full disclosure of the attackers' methods.

Observers note that Clop has used similar approaches in prior campaigns, exploiting vulnerabilities silently, exfiltrating data, and then threatening publication unless ransom is paid. This campaign appears to extend the playbook from file transfer software to ERP systems, such as Oracle EBS.

This pivot has several advantages for attackers:

• Lower technical exposure risk: Without deploying ransomware payloads, attackers reduce the risk of detection, forensic traces, and disruption.
• Higher scalability: Emailing extortion demands to multiple organizations is more cost-effective and efficient than individually deploying malware at each target.
• Psychological pressure on executives: Targeting decision-makers directly may prompt decisions based on fear before a thorough investigation has occurred.
• Maintaining plausible deniability: If no breach is confirmed, attackers can walk back claims or attribute failures to bluffing, while still collecting payments.

In this campaign, Clop (or the impersonator) leverages brand recognition and reputational fear: victims may assume that the attackers have credibility because of Clop's known history. However, this shift also carries risks. If the claims are revealed as a bluff—if forensic investigation proves no compromise, then the attacker's credibility weakens.

A false extortion campaign may prompt organizations to refuse payment or publicize the attempt, thereby undermining future coercion efforts. Some experts caution that attackers may repurpose publicly known or previously breached data (recycling old leaks) or even fabricate evidence.

From a defensive perspective, organizations must treat such emails as credible threats—even in the absence of proof—to avoid being paralyzed by uncertainty.

Best practices include:

• Immediately reviewing logs and audit trails for suspicious access or anomalous behavior.
• Enforcing multifactor authentication and limiting password reset pathways on exposed systems.
• Hardening network perimeters, especially around web services tied to backend systems.
• Monitoring outbound traffic and detecting large data exfiltration patterns.
• Collaborating with digital forensics and incident response teams to validate or refute the extortion claims.

In this latest Oracle campaign, much remains unverified. However, the shift away from encryption toward pure data blackmail highlights how ransomware groups are evolving into organized extortion services. Whether this campaign concludes in payouts, disclosures, or legal countermeasures will set a precedent for how enterprise software vendors must defend against coercion by threat actors in the years to come.