Executives and managers across organizations recently received emails from the Clop ransomware group, warning them of alleged breaches involving Oracle’s E-Business Suite application. These communications attempt to treat the extortion as a strictly financial matter, asserting no political or ideological motivation. Recipients were promised proof of the breach in the form of selected stolen files and faced a stark ultimatum tied to a payment deadline. The messages, written in flawed English, sought to pressure Oracle customers to pay ransoms to prevent the publication or sale of their stolen information. Cybersecurity researchers have stressed that these tactics are intended to create urgency and leverage reputational and regulatory risks.
Earlier reporting on ransomware campaigns showed Clop’s pattern of focusing on financial gain rather than causing operational disruptions or targeting specific countries. Other incidents involving Clop also included offering “proof of breach” and portraying themselves as fulfilling their promises upon payment, often referencing prior deals with victims. Recent attacks mirror these established methods, but the scale involving Oracle E-Business Suite users and the use of compromised third-party email accounts indicate evolving approaches in how Clop establishes credibility and pressures victims. Absent in previous disclosures are such direct and widespread contact with executives via compromised unrelated accounts, highlighting tactical shifts.
How Did Clop Contact Oracle Customers?
Researchers found that the Clop group sent emails to Oracle users via hundreds of compromised third-party email accounts, an approach that made detection more difficult and lent perceived legitimacy to the correspondence. Austin Larsen from Google’s Threat Intelligence Group noted the prevalence of this tactic, explaining that cybercriminals often acquire credentials from infostealer malware logs available on underground forums to bypass spam filters. The campaign did not involve mass spam, but rather targeted individuals positioned to make decisions under pressure.
What Did Clop’s Emails Offer or Threaten Recipients With?
The extortion messages detailed that Clop would provide concrete evidence of the alleged breach, offering to supply up to three files or data rows upon request. Threats of serious consequences were explicit; the group warned that the fallout from not paying would far exceed the ransom demand, referencing financial losses, reputational harm, and regulatory penalties. Clop’s messaging repeatedly emphasized their intent to monetize the breach without causing broader damage, stating “We do not seek political power or care about any business.”
What Stance Have Oracle and Security Experts Taken?
Although Oracle has not released any public statements on these claims, security analysts remain cautious about confirming whether a breach actually occurred or if the Clop group is definitively behind the emails. The contact information and communication style are consistent with Clop’s past operations, adding weight to their claim of involvement. As one email insisted:
“We always fulfil all promises and obligations. We are not interested in destroying your business. We want to take the money and you not hear from us again.”
The group reinforced the pressure by reminding,
“Please convey this information to your executive and managers as soon as possible. We advice not reach point of no return.”
With this latest incident, the Clop group continues to refine its methods, applying direct social pressure to executives and leveraging third-party account compromise as a vector. For organizations using Oracle E-Business Suite, these messages are a reminder that robust incident response planning and regular credential hygiene remain essential. If approached by threat actors claiming access or control, companies should avoid direct engagement, gather forensic evidence, and report to relevant authorities. Paying ransom does not guarantee deletion of stolen data or non-disclosure and could incentivize repeat targeting. A coordinated response involving cyber security professionals and legal counsel remains the advised path to minimize further business risk.
