Hackers are attempting to extort senior executives by claiming to have stolen sensitive data from Oracle’s widely used business software, Google has disclosed.
The attackers, believed to be linked to the ransomware gang known as Cl0p, have launched a large-scale email campaign directed at organisations running Oracle E-Business Suite. The system underpins critical functions such as finance, supply chain, and customer management, making it an attractive target for cybercriminals.
According to Google, the extortion emails have been arriving in high volumes and are being sent from hundreds of hijacked accounts. Some of these accounts were previously connected to FIN11, a financially motivated group associated with Cl0p. The messages threaten exposure of allegedly stolen data, with some demands reported to be as high as $50 million.
Cybersecurity firm Halcyon confirmed that certain emails contained screenshots and file directories as supposed evidence of the breach. Experts, however, caution that these materials may be fabricated or recycled from past attacks. “Google does not currently have sufficient evidence to definitively assess the veracity of these claims,” the company stated.
However, neither Google nor its security subsidiary, Mandiant, has found proof that Oracle’s software was compromised or that data theft actually occurred. No zero-day vulnerabilities have been confirmed. Oracle has yet to issue a public statement.
Experts note that even unverified claims can destabilise businesses, trigger panic, and tarnish reputations. Recent campaigns by ransomware groups show a change in tactics, using threats and psychological pressure instead of traditional file encryption.
Security experts advise organisations to closely monitor Oracle environments for unusual logins or credential misuse, strengthen phishing defences, and review their incident response strategies. Multi-factor authentication, they warn, is no longer optional but essential.