Alphabet’s Google has warned that hackers are targeting executives at multiple companies with a wave of extortion emails, claiming to have stolen sensitive data from Oracle Corp’s widely used E-Business Suite.
The campaign, which surfaced in late September, has been linked to the notorious Cl0p ransomware gang, with ransom demands reaching up to $50 million, according to cybersecurity experts assisting affected firms.
Google’s Warning
In a statement, Google said that hackers claiming affiliation with Cl0p have launched a high-volume email campaign targeting senior executives and IT teams. The attackers allege they exfiltrated corporate data from Oracle’s systems.
Google’s Threat Intelligence Group noted that the emails were first sent on or before September 29, routed through hundreds of hijacked third-party accounts. The company stressed, however, that it does not yet have “sufficient evidence to definitively assess the veracity of these claims.”
Oracle has not commented on the alleged breaches.
Ransom Demands Soar
Cybersecurity firm Halcyon reported seeing ransom demands ranging from millions to tens of millions of dollars, with the largest demand at $50 million.
“There’s so much overlap amongst all these groups, and there are copycats across the ecosystem,” said Cynthia Kaiser, vice-president of Halcyon’s Ransomware Research Center. She added that while attribution to Cl0p remains disputed, early indicators point to their involvement.
In an email to Reuters, Cl0p representatives said the hackers were “not prepared to discuss details at this time.”
How the Breaches Occurred
Investigators believe attackers exploited Oracle’s default password-reset process on exposed portals to gain initial access. Some security specialists suspect a deeper software flaw may have been leveraged instead.
The ransom notes sent to victims were riddled with spelling and grammar errors, a hallmark of Cl0p’s past campaigns. Contact details matched those used on the group’s dark web leak site, though it remains unclear whether any organisations have agreed to pay.
Cl0p’s Track Record
The Cl0p ransomware group is infamous for high-profile global attacks. In 2023, it exploited a flaw in MOVEit file-transfer software, stealing data from hundreds of companies, including Shell, IAG (British Airways’ parent), and the BBC.
This time, the hackers claim to have breached Oracle’s E-Business Suite, which underpins critical corporate operations such as finance, supply chain, and customer management. At least one organisation has confirmed a compromise, while others have received proof-of-breach in the form of screenshots and file listings.
“We have seen Cl0p demand huge seven- and eight-figure ransoms in the last few days,” Kaiser warned.
The Bigger Threat
The scale and sophistication of the campaign underline the growing risks to corporate data and the mounting pressure on companies to shore up defenses against ransomware. Experts caution that even sloppy emails can inflict massive financial and reputational damage when targeted at vulnerable systems.
How To Identify
Despite their high-stakes demands, the ransom emails were riddled with spelling and grammatical errors — a signature of Cl0p’s past campaigns. Victims were given contact details linked to the gang’s dark web leak site, but it remains unclear if any company has complied with the payment demands.
