- Cl0p ransomware exploited Oracle E-Business Suite, demanding payment from affected organizations
- Google says the attacks began in July-August, before Oracle released a zero-day patch.
- FIN11 could be involved, either by collaborating with Cl0p or inspiring the extortion campaign
The recent Oracle E-Business Suite cyberattack may have affected dozens of organizations around the world, as Google researchers shed light on the currently active extortion campaign.
News recently broke that many leaders of US organizations have received emails apparently from the Cl0p ransomware gang. In the emails, the criminals said they had stolen sensitive files from the company’s Oracle E-Business Suite systems and demanded payment in exchange for deleting the files.
Early reports suggested the campaign may have been a bluff, but days later Oracle released a patch fixing a zero-day vulnerability.
FIN11 and Cl0p
Google’s Threat Intelligence Group (GTIG) has released a new report indicating that the attacks likely began in the first half of August 2025, “weeks before a patch was available.” There is also evidence that some attacks also took place in early July.
“In some cases, the threat actor was able to exfiltrate a significant amount of data from affected organizations,” Google said.
Researchers seem a little confused as to who is actually behind this campaign. Although the ransom note clearly states that Cl0p is behind this, there is evidence pointing to the involvement of a separate, financially motivated group called FIN11.
“The exploitation of a zero-day vulnerability in a widely used enterprise application, followed by a large-scale brand extortion campaign weeks later, is a hallmark of activity historically attributed to FIN11 that has strategic advantages that may also attract other threat actors,” GTIG said in its report.
This could be several things: either Cl0p is working with FIN11 on this, sharing tactics, techniques and procedures, or it has simply rented its infrastructure for the campaign. It’s also possible that FIN11’s methodology served as inspiration for the infamous ransomware collective.
The real number of victims is not yet known.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
