Oracle Apps Exploited by Hackers in New Extortion Campaign

(Bloomberg) — Executives and technology departments at large organizations are being extorted by a notorious ransomware group that claims to have stolen their data from a suite of popular Oracle Corp. applications, according to a Google cybersecurity executive and three others familiar with the matter.

A group of hackers claimed to have breached Oracle’s E-Business Suite, which runs core operations including financial, supply chain and customer relationship management. In one case, they demanded a ransom of up to $50 million, according to cybersecurity firm Halcyon, which is currently responding to the campaign. The group, which claims to be affiliated with a criminal outfit called Cl0p, has provided proof of compromise to victims including screenshots and file trees.

Most Read from Bloomberg

At least one company has confirmed that data from their Oracle systems has been stolen, according to one of the people.

“We have seen Cl0p demand huge seven- and eight-figure ransoms in the last few days,” said Cynthia Kaiser, vice president at Halcyon’s ransomware research center. “This group is notorious for stealthy, mass data theft that heightens their leverage in ransom negotiations.”

The group began sending extortion emails on or before Sept. 29, according to Genevieve Stark, head of cybercrime at Google Threat Intelligence Group. The emails were sent from hundreds of compromised third-party accounts and claimed the theft of data, she said.

The extortion emails include sloppy English and grammar and are considered characteristic of the group, according to a person familiar with the campaign, who asked not to be named as the information isn’t public. They didn’t disclose the targets of the extortion letters or whether any of the victims had paid a ransom.

Stark said at least one of the email addresses used on the extortion notes was previously used by an affiliate of Cl0p, and the messages contain contact details that are listed on Cl0p’s own website. Alphabet Inc.’s Google doesn’t yet have sufficient evidence to verify the claims made in the extortion demands, she said.

The hackers compromised user emails and abused the default password-reset function to gain valid credentials of internet-facing Oracle E-Business Suite portals, according to Halcyon. However, one of the people familiar with the matter said they believed the theft was caused by a vulnerability the hacker exploited in Oracle’s E-Business Suite.

An Oracle spokesperson didn’t respond to a request for comment.

Cl0p is known for targeting large companies with sophisticated malware to lock files and make ransom demands for their deletion. In 2023, Cl0p was accused of exploiting weaknesses in MOVEit, a file-transfer product used by companies and organizations to transmit sensitive data, and it claimed to have obtained data from hundreds of organizations.

Shell Plc, IAG SA’s British Airways and the British Broadcasting Corp. were among the victims of that earlier attack.

In June 2023, the US Cybersecurity and Infrastructure Security Agency issued an advisory about Cl0p, stating it was “one of the largest phishing and malspam distributors worldwide,” estimating it to have compromised more than 3,000 organizations in the US and 8,000 globally.

(Updates with additional details in third and eighth paragraph.)

Most Read from Bloomberg Businessweek

©2025 Bloomberg L.P.