Ransomware hackers claim Oracle app breach, tell victims their data has been stolen

1 hour ago 2

Hackers claim to have stolen Oracle E-Business Suite data, demanding ransom from executives
Campaign linked to FIN11 and possibly Cl0p, using hundreds of compromised email accounts
No proof of data theft yet; researchers urge checking Oracle logs for suspicious activity

Cybercriminals are mailing executives at various American organizations, claiming to have stolen sensitive files from their Oracle E-Business Suite systems, and most likely demanding payment in exchange for keeping the files out of public reach.

"This activity began on or before September 29, 2025, but Mandiant's experts are still in the early stages of multiple investigations, and have not yet substantiated the claims made by this group," said Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at Google’s Threat Intelligence Group (GTIG), which along with Mandiant, have been tracking the campaign since late September 2025.

In other words, there is still no evidence that what these hackers are saying is true. Sometimes, crooks would simply try to bluff their way into being sent money, and this certainly wouldn’t be the first time it happened.

Links to Fin11 and Cl0p

What makes this campaign interesting is its link to different hacking collectives.

According to Charles Carmakal, CTO of Mandiant – Google Cloud, the emails are being sent from hundreds of compromised email accounts - including one known to belong to a financially-motivated threat actor.

"We are currently observing a high-volume email campaign being launched from hundreds of compromised accounts and our initial analysis confirms that at least one of these accounts has been previously associated with activity from FIN11, a long-running financially motivated threat group known for deploying ransomware and engaging in extortion," Carmakal said.

At the same time, the emails held contact addresses that were previously listed on Cl0p’s data leak site, so it is possible that both groups are involved in the campaign, or are simply sharing resources. The evidence is not compelling enough to confirm the links, though.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

In any case, the researchers recommend all users to look at their Oracle E-Business Suite platform’s logs for unusual or shady access.

Via BleepingComputer

Millions of users possibly at risk after Ascension healthcare reveals new data breach, potentially linked to Cl0p ransomware
Take a look at our guide to the best authenticator app
We've rounded up the best password managers

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read Entire Article