Ransomware extortion warning over Oracle E-Business Suite flaws

Oracle urges users to apply July 2025 Critical Update as a matter of urgency

Executives at a number of organisations have been targeted in an extortion campaign claiming the theft of sensitive business data from their Oracle E-Business Suite software.

The campaign opened last week and is believed to be linked with the Russian Clop ransomware group, which is also associated with FIN11, a financially motivated threat group.

“Starting on or around 29 September 2025, this actor began sending extortion emails to executives at numerous organisations. The emails claim the actor has breached their Oracle E-Business Suite applications and stolen sensitive data,” warned Austin Larsen, principal threat analyst at Google Threat Intelligence, writing on LinkedIn.

However, he added: “While the claims are currently unverified, While the claims of a successful data breach are currently unverified, we've identified strong links to the financially motivated group FIN11.”

At least one of the email accounts used has previously been used by FIN11 and the contact addresses on the extortion notes ([email protected] and [email protected]) are also publicly listed on the Clop ransomware group data leak site.

“At this time, GTIG does not have sufficient evidence to substantiate the actor's claims. Attribution in this space is often complex, and we frequently see actors mimic established groups to leverage their brand recognition, increasing pressure on victims to pay,” but urged organisations to treat the claims seriously and to investigate in earnest for any evidence of threat actor activity.

Oracle has also confirmed receipt of the extortion notes from customers and opened an investigation.

Rob Duhart, chief security officer at Oracle Security, urged customers to apply the July 2025 Critical Patch Update for Oracle E-Business Suite as a matter of urgency.

“Oracle is aware that some Oracle E-Business Suite (EBS) customers have received extortion emails. Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update. Oracle reaffirms its strong recommendation that customers apply the latest Critical Patch Updates,” he wrote in a blog posting published late last night.

FIN11 has also been referred to as DEV-0950, Lace Tempest and TA505, according to the APT Groups and Operations spreadsheet.

Earlier this year, Oracle suffered two data breaches, but denied that its cloud service was affected – despite evidence to the contrary. “Oracle would like to state unequivocally that the Oracle Cloud – also known as Oracle Cloud Infrastructure or OCI – has NOT experienced a security breach,” it told customers.

It added: "No OCI customer environment has been penetrated. No OCI customer data has been viewed or stolen. No OCI service has been interrupted or compromised in any way.”

In April this year, vehicle rental giant Hertz confirmed a data breach compromising customer data in a ransomware attack dating back to the last three months of 2024, also linked with Clop. That attack had exploited security flaws in the Cleo managed file transfer software.