Update — October 8, 2025: New analysis from CrowdStrike confirms that the CL0P ransomware gang has been exploiting a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS) since at least early August to steal data.
CrowdStrike said it first observed exploitation on August 9, assessing with moderate confidence that CL0P (also known as GRACEFUL SPIDER) was responsible.
Oracle has since patched the flaw and customers are urged to apply the fix immediately.
(Original story continues below.)
A well-known ransomware gang is attempting to extort Oracle E-Business Suite (EBS) customers with emails claiming data compromise.
Oracle has confirmed the extortion campaign, but not the attackers’ claims.
The company said its investigation points to the “potential use of previously identified vulnerabilities” already addressed in the July 2025 Critical Patch Update, and urged customers to apply the latest patches.
Oracle did not disclose how many customers may have been targeted.
The campaign is linked to ransomware-as-a-service gang CL0P, who reportedly provided screenshots and file trees as proof of access, Halcyon said in a security alert.
The attackers first compromised user emails, then exploit local login pages of exposed Oracle EBS portals, said Halcyon. These accounts often bypass SSO and lack MFA, allowing password resets and “valid user access.”
Extortion demands have ranged from several million dollars to as much as $50 million, Halcyon said.
Halcyon advised EBS customers to check if portals are publicly accessible and to enforce MFA for all accounts, including local logins, as well as improving email security controls and anti-ransomware solutions.
In an blog post, Chief Security Officer Rob Duhart wrote: “Oracle is aware that some Oracle E-Business Suite (EBS) customers have received extortion emails.
“Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update.”
An example of the email first shared with BleepingComputer reads: “We are CL0P team. If you haven’t heard about us, you can google about us on internet.”
“We have recently breached your Oracle E-Business Suite application and copied a lot of documents. All the private files and other information are now held on our systems.”
“But, don’t worry. You can always save your data for payment. We do not seek political power or care about any business. So, your only option to protect your business reputation is to discuss conditions and pay claimed sum.”
Read the full email below:
Google Threat Intelligence Group (GTIG) head analyst Austin Larsen said that the “High-volume extortion campaign” began at the end of September.
GTIG currently has not verified if a data breach has taken place and has not substantiated the gangs’ claims, but nevertheless recommends organizations take the emails seriously.
“Given the connections to a well-established extortion operation, we strongly recommend organizations treat these emails seriously and investigate their environments for any evidence of threat actor activity,” Larsen recommends.
CL0P are an infamous ransomware-as-a-service gang, known for their campaigns targeting zero-day vulnerabilities.
Active since 2020, the gang’s best known campaign came in July 2023, when CISA issued a warning that it was exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in a popular Managed File Transfer (MFT) solution.
The gang is thought to be Russian speaking, but no proven background or location has been found.
In a statement to Reuters, the CL0P reportedly claimed awareness of the campaign, but said: “We not prepared to discuss details at this time.”
How to stay protected
Halcyon has published a detailed advisory with steps for customers to stay protected.
This includes:
- Checking if EBS portals are accessible and restricting exposure
- Enforcing MFA for all accounts (including local logins)
- Remove internet access to EBS via reverse proxy
- Disabling the password reset function or requiring 2FA
- Hardening email security
- Deploying an anti-ransomware solution
- Protecting backup integrity
Organizations using Oracle EBS should urgently audit internet-facing access, enforce strong authentication, and apply Oracle’s July 2025 patch update.
Update — October 8, 2025: New research from CrowdStrike confirms that the CL0P ransomware gang exploited a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite as early as August 2025 to steal sensitive data.
Oracle has since patched the flaw. Customers are urged to apply the October 2025 Security Alert immediately.
Read more
