The attackers, believed to be linked to the ransomware gang known as Cl0p, have launched a large-scale email campaign directed at organisations running Oracle E-Business Suite. The system underpins critical functions such as finance, supply chain, and customer management, making it an attractive target for cybercriminals.

According to Google, the extortion emails have been arriving in high volumes and are being sent from hundreds of hijacked accounts. Some of these accounts were previously connected to FIN11, a financially motivated group associated with Cl0p. The messages threaten exposure of allegedly stolen data, with some demands reported to be as high as $50 million.

Cybersecurity firm Halcyon confirmed that certain emails contained screenshots and file directories as supposed evidence of the breach. Experts, however, caution that these materials may be fabricated or recycled from past attacks. “Google does not currently have sufficient evidence to definitively assess the veracity of these claims,” the company stated.

However, neither Google nor its security subsidiary, Mandiant, has found proof that Oracle’s software was compromised or that data theft actually occurred. No zero-day vulnerabilities have been confirmed. Oracle has yet to issue a public statement.

Experts note that even unverified claims can destabilise businesses, trigger panic, and tarnish reputations. Recent campaigns by ransomware groups show a change in tactics, using threats and psychological pressure instead of traditional file encryption.

Security experts advise organisations to closely monitor Oracle environments for unusual logins or credential misuse, strengthen phishing defences, and review their incident response strategies. Multi-factor authentication, they warn, is no longer optional but essential.

This collaboration brings together two of the most experienced teams in ransomware defense to accelerate detection, enhance protection, and improve response capabilities for more than 300,000 organizations worldwide.

The collaboration between Sophos and Halcyon will exchange threat intelligence in real time, including indicators of compromise (IOCs), adversary behaviours, and attack patterns, to enhance ransomware prevention and accelerate response time.

Following Halcyon’s recent announcement of a community-focused Ransomware Research Center, this data-sharing initiative will inform defenses across both Sophos’ and Halcyon’s solutions.

It will benefit customers using Sophos Endpoint powered by Intercept X, as well as Sophos Managed Detection and Response (MDR), Sophos XDR, Halcyon’s Anti-Ransomware Platform, and other joint capabilities.

As part of the collaboration, Halcyon and Sophos will also implement mutual anti-tamper protections that allow each platform to monitor and safeguard the other’s agents in customer environments.

This helps ensure that organizations using both solutions benefit from added resilience, reducing the risk of ransomware interfering with security defenses and preserving the integrity of their overall protection strategy.

The threat intelligence collaboration is part of Sophos’ broader strategy to expand the reach and speed of its threat response through strategic partnerships.

Sophos X-Ops, the company’s cross-functional threat intelligence unit, will work closely with Halcyon’s research and engineering teams to share and operationalize ransomware-related insights across a wide array of attack surfaces.

“Ransomware tools and tactics are evolving constantly, and the best defense is timely, relevant intelligence that enables defenders to act quickly and with confidence,” said Simon Reed, chief research and scientific officer, Sophos. “By sharing insights with Halcyon, we’re improving signal fidelity and accelerating detection across our systems, which strengthens protection for all the organizations we serve.”

“Halcyon is honored to partner with Sophos. Over the last four years, based on our telemetry, Sophos has time and time again proven to be one of the most effective endpoint security platforms we have encountered, reliably performing and disrupting attackers at a level that simply outperforms the majority of the players in the next-generation antivirus and endpoint detection and response (EDR) space. Their dedication to innovate and roll out industry-leading and unique features continues to put their customers at an everyday advantage over the most sophisticated attacks affecting enterprises today,” said Jon Miller, CEO and co-founder of Halcyon. 

Key benefits of the collaboration between Sophos and Halcyon include:

• Real-time ransomware intelligence: Sophos and Halcyon will share timely threat intelligence, including indicators of compromise (IOCs), attacker behaviors, and tools used in active ransomware campaigns. This intelligence supports earlier detection, broader visibility, and more informed responses.
• Strengthened defenses across products and services: Shared intelligence will enhance threat detection models, enrich contextual telemetry, and accelerate protection updates within each company’s solutions, including Sophos Central and Halcyon’s Anti-Ransomware Platform.
• Mutual anti-tamper protections: Each solution actively monitors the other’s agents to prevent tampering or disablement during ransomware attacks, helping ensure that security defenses remain intact and effective throughout an incident.

This collaboration highlights Sophos’ and Halcyon’s continued commitment to cybersecurity innovation, industry cooperation, and the mission to defeat cybercriminals.

Together, Sophos and Halcyon are delivering the intelligence needed to stay one step ahead of attackers.