- Cl0p Ransomware Leveraged Oracle E-Business Suite and Demanded Payments from Affected Organizations
- Google says attacks began in July-August, before Oracle released a zero-day patch
- FIN11 may be involved, either collaborating with Cl0p or inspiring the extortion campaign.
The recent cyberattack on Oracle E-Business Suite may have affected dozens of organizations around the world, as Google researchers shed more light on the currently active extortion campaign.
News recently emerged that numerous executives at US organizations received emails apparently coming from the Cl0p ransomware gang. In the emails, the bad actors said they stole sensitive files from the company’s Oracle E-Business Suite systems and demanded payment in exchange for deleting the files.
Initial reports suggested that the campaign may have been a hoax, but a few days later, Oracle released a patch addressing a zero-day vulnerability.
FIN11 and Cl0p
Google’s Threat Intelligence Group (GTIG) has published a new report that says the attacks likely began in the first half of August 2025, “weeks before a patch was available.” There are also indications that some attacks also occurred in early July.
“In some cases, the threat actor managed to exfiltrate a significant amount of data from affected organizations,” Google said.
Researchers seem to be a little confused about who is really behind this campaign. While the ransom note clearly states that Cl0p is behind this, there is evidence pointing to the involvement of a separate financially motivated group called FIN11.
“The pattern of exploiting a zero-day vulnerability in a widely used enterprise application, followed by a large-scale brand extortion campaign weeks later, is a hallmark of activity historically attributed to FIN11 that has strategic benefits that may also attract other threat actors,” GTIG said in its report.
It could be a couple of things: either Cl0p is working together with FIN11 on this, sharing tactics, techniques and procedures, or he simply rented their infrastructure for the campaign. There is also a possibility that FIN11’s methodology served as inspiration for the infamous ransomware collective.
The real number of victims is not yet known.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
