A financially motivated hacking campaign is pressuring executives at large organisations to pay ransoms after claiming data was stolen from Oracle’s E‑Business Suite, according to multiple cybersecurity firms investigating the incidents.

Mandiant and Google’s Threat Intelligence Group said they are tracking a high‑volume wave of extortion emails sent on or before 29 September from hundreds of compromised third‑party accounts, asserting theft from internet‑facing Oracle E‑Business Suite portals. “We are currently observing a high‑volume email campaign being launched from hundreds of compromised accounts,” said Charles Carmakal, chief technology officer at Mandiant Consulting. “The malicious emails contain contact information, and we’ve verified that the two specific contact addresses provided are also publicly listed on the Clop data leak site,” he added.

Investigators cautioned that core claims remain unproven. “It is not yet clear whether the threat actor’s claims are credible, and if so, how they obtained access,” said Genevieve Stark, head of cybercrime and information operations intelligence analysis at Google Threat Intelligence Group. She noted the campaign began on or before 29 September and involves compromised email infrastructure.

BleepingComputer reported that contact details in the emails match addresses listed on the Clop ransomware gang’s leak site and that one sending account has been linked to FIN11, a long‑running extortion group. “We are currently observing a high‑volume email campaign being launched from hundreds of compromised accounts and our initial analysis confirms that at least one of these accounts has been previously associated with activity from FIN11,” Carmakal said. Mandiant advised recipients to review Oracle E‑Business Suite environments for unusual access.

Bloomberg, citing Halcyon, said the hackers provided screenshots and file trees as alleged proof and, in at least one case, demanded up to £50 million. “We have seen Cl0p demand huge seven‑ and eight‑figure ransoms in the last few days,” said Cynthia Kaiser, vice president at Halcyon’s ransomware research centre. “This group is notorious for stealthy, mass data theft that heightens their leverage in ransom negotiations.” Halcyon added that attackers abused default password‑reset functions to gain valid credentials.

---