Google has issued a warning about a surge in extortion emails being sent to executives at large organizations.
The tech company revealed that a group claiming affiliation with the Clop ransomware gang is behind the campaign, which began around September 29, 2025.
The senders of these emails allege that they have stolen sensitive data from Oracle’s E-Business Suite, a widely used enterprise resource planning platform.
The attackers are demanding ransom payments in exchange for not releasing the purported data.
Google emphasized that it has not yet verified the authenticity of the claims and is continuing to investigate the scope and impact of the campaign.
Emails Sent from Compromised Accounts to Google Executives
Google’s incident response unit Mandiant reported that hackers are sending extortion emails from hundreds of compromised accounts.
At least one of these accounts has previously been linked to FIN11, a financially motivated threat group associated with Clop.
Hackers reportedly include contact details listed on Clop’s data leak site in the emails, often using the site to pressure victims into paying ransoms to prevent public disclosure of stolen files.
Charles Carmakal, Chief Technology Officer at Mandiant, noted that the campaign is high-volume and appears to be well-coordinated.
Hackers are directing the emails at executives and IT leaders, increasing the psychological pressure on organizations to respond quickly.
Exploiting Oracle E-Business Suite Vulnerabilities
The attackers claim to have exploited vulnerabilities in Oracle’s E-Business Suite to gain access to sensitive corporate data.
Bloomberg reported that the hackers used compromised user emails to initiate access attempts.
They then abused the default password-reset function to obtain working credentials for Oracle web portals accessible from the internet.
Thousands of companies worldwide use Oracle’s E-Business Suite as a critical system to manage customer databases, employee records, and financial operations.
While Oracle has not commented publicly on the breach, the platform’s importance makes it a high-value target for cybercriminals.
Ransom Demands Reach Tens of Millions
Cybersecurity firm Halcyon is assisting in the response to the campaign. It reported that ransom demands range from millions to tens of millions of dollars.
In one case, the demand reached $50 million.
Cynthia Kaiser, head of Halcyon’s Ransomware Research Center, noted that while the Clop connection is plausible, there is overlap among various ransomware groups and copycat actors, making attribution complex.
Google stated that it currently lacks sufficient evidence to confirm whether any data was actually stolen.
The company is urging organizations to remain vigilant and to review their security protocols, especially those related to Oracle systems.
Note: We are also on WhatsApp, LinkedIn, and YouTube to get the latest news updates. Subscribe to our Channels. WhatsApp– Click Here, YouTube – Click Here, and LinkedIn– Click Here.
