Top executives at large firms are under pressure from a well-known ransomware gang that says it hacked into Oracle’s popular E-Business Suite and made off with their data, sources told Google’s cybersecurity team.
Claiming links to the notorious Cl0p gang, the group launched its extortion campaign around Sept. 29, said Genevieve Stark, who leads cybercrime research at Google’s Threat Intelligence Group. The emails — blasted out from hundreds of hijacked third-party accounts — warned victims that their data had been stolen.
The Oracle platform drives the core of many companies’ operations, handling everything from finances and supply chains to customer management.
The ransom emails were written in clumsy English — a hallmark of the group’s past campaigns, according to one source. One of the sender addresses had been used before by a Cl0p affiliate, and the notes even listed contact details pulled straight from Cl0p’s own website, Stark said.
Google, a unit of Alphabet Inc., doesn’t yet have enough evidence to confirm the claims made in the extortion demands, Stark said. Others familiar with the situation, who requested anonymity to discuss private information, declined to identify the targets or say whether any victims had paid a ransom.
Oracle didn’t return a request for comment.
Cl0p has built its reputation on attacking major companies with advanced ransomware that encrypts files and demands payment to unlock them. In 2023, the group allegedly exploited a vulnerability in MOVEit, a popular file-transfer platform, and boasted of stealing data from hundreds of organizations.
Victims of that earlier attack included Shell, British Airways, and the BBC.
In June 2023, the U.S. Cybersecurity and Infrastructure Security Agency described Cl0p as “one of the world’s biggest distributors of phishing and malspam,” estimating it had breached more than 3,000 organizations in the U.S. and some 8,000 worldwide.
