A new and sophisticated cyberattack campaign has shaken the foundations of the international business world, generating an unprecedented wave of concern and alarm across multiple sectors. A group of cyber attackers with strong ties to the infamous Cl0p ransomware has launched a coordinated offensive specifically targeting users of Oracle’s E-Business Suite (EBS), one of the most widely used ERP platforms in multinational corporations around the globe.
This offensive has compromised highly sensitive data from these Oracle-based companies and has triggered a series of extortion attempts directed especially at high-level executives, resulting not only in significant economic losses but also in potentially irreparable damage to corporate trust and reputation. The intrusion, initially detected at the end of September 2025, exploited a series of vulnerabilities that, although known and documented by Oracle, had not been timely patched by many of the affected organizations.
This negligence in applying Oracle’s security patches and updates highlights a recurring issue in the business world: the gap between the functional robustness of technological infrastructures and the fragility of their protection against advanced threats. The attack on Oracle potentially affected thousands of organizations that rely on the E-Business Suite to manage critical business processes and are now facing the consequences of this severe security breach.
Oracle E-Business Suite: Cornerstone in the Operation of Large Corporations
To understand the magnitude and impact of this attack, it is essential to understand what Oracle’s E-Business Suite is and its role within large corporations. Oracle’s EBS is an ERP (Enterprise Resource Planning) platform that integrates multiple business modules into a single technological architecture, allowing companies to manage virtually every aspect of their operations from a single system.
These modules in the Oracle platform include finance and accounting, supply chain management, human resources, payroll, customer relationship management (CRM), procurement, logistics, manufacturing, and more. Since its launch in the late 1990s, Oracle’s E-Business Suite has evolved to become the operational core of thousands of organizations worldwide.
Its adoption is particularly notable in sectors where efficient process integration is critical, such as manufacturing, energy, financial services, healthcare, and retail. Although Oracle has actively promoted migration to its cloud offering—especially with Oracle Cloud ERP—many companies continue operating on-premise versions of EBS. This continuity is mainly due to the complexity and cost associated with migrating highly customized processes, as well as regulatory and compliance considerations that limit the immediate move to cloud environments.
This scenario has led to a mixed Oracle ecosystem, where old and modern software installations coexist, and where the application of security patches is not always prioritized or is delayed for operational reasons. As a result, legacy ERP systems such as on-premise Oracle EBS become attractive targets for ransomware groups and cybercriminals who constantly search for known vulnerabilities in widely used enterprise applications, aiming to maximize impact and economic gain from their attacks.
Anatomy of the Attack: Exploiting Vulnerabilities and Abusing Internal Functions
The extortion campaign linked to Cl0p against Oracle’s E-Business Suite is characterized by its surgical precision and the sophistication in the use of techniques that stray from traditional, frontal or indiscriminate attacks. According to internal sources and digital intelligence reports collected by Bloomberg and other specialized media, the attackers began their offensive by initially accessing compromised corporate email accounts within Oracle environments.
This initial access was achieved through common but effective methods: targeted phishing campaigns, stolen credentials from previous attacks, or acquiring these credentials in underground cybercrime markets. With access to these accounts, Oracle attackers employed a particularly clever and less visible tactic: abusing the automated password recovery system integrated into Oracle EBS.
Using this legitimate feature, they were able to generate new valid credentials for users with critical permissions within the system. In this way, they infiltrated the mission-critical environments of Oracle organizations without triggering conventional security alarms, as they operated under the guise of authorized users. This strategy allowed them to maintain persistent and extended access without raising immediate suspicion.
Once inside Oracle’s enterprise digital ecosystem, the attackers carried out a systematic and massive extraction of confidential information. The compromised data includes accounting databases, detailed financial reports, commercial contracts, internal organizational charts, personal employee data, and in some cases, highly sensitive client records. Instead of encrypting and locking access to systems, as in traditional ransomware attacks, this operation focused on exfiltration and data theft, which was later used for digital extortion campaigns.
The attackers sent extortion emails to high-level executives, displaying concrete evidence of the security breach in Oracle. These messages included fragments of stolen files, screenshots, and links showing file trees compromised in Oracle systems. A distinctive feature of these emails was their often poor English, a hallmark historically associated with previous campaigns attributed to Cl0p.
Additionally, the use of previously compromised third-party accounts to send the messages made immediate source tracing difficult, adding extra layers of anonymity and hampering rapid cybersecurity responses. The financial demands vary significantly among victims, but reports from Halcyon, a ransomware analysis firm, have confirmed requests ranging from several million to 50 million dollars per organization.
The threats of mass disclosure in dark web forums serve as additional pressure for companies to pay the ransom, putting critical information and business continuity at risk.
Cl0p: A Group with a History of High-Impact Attacks
The Cl0p group is one of the most notorious and persistent actors in the global ransomware landscape. With alleged origins in Russian-speaking countries, it operates under a Ransomware-as-a-Service (RaaS) model, which means it develops ransomware tools that it then rents to affiliates, who carry out the attacks on behalf of the central group, sharing the profits obtained through ransoms.
This model has allowed Cl0p to quickly scale its reach and diversify its campaigns worldwide, while its main operators avoid direct exposure. Cl0p has been at the center of several high-profile attacks. In 2023, it was responsible for the attack against MOVEit Transfer, a platform used for the secure transfer of files in over 600 organizations, including corporate giants such as Shell, British Airways, and the BBC, as well as several U.S. state governments.
Despite lessons learned and warnings generated from that incident, Cl0p has continued adapting and perfecting its tactics, now focusing on critical enterprise software like Oracle EBS. This strategy aims to maximize economic returns, taking advantage of the criticality of the affected systems and the tendency of many organizations to postpone the application of security patches.
Experts from Trend Micro and other cybersecurity firms agree that Cl0p has established itself as one of the main references in modern ransomware due to its double extortion approach: first stealing sensitive data and then threatening to publish it if payment is not made. This method exerts not only financial pressure but also emotional and reputational pressure on victims, who find themselves caught between paying the ransom and risking lasting damage to their image and business operations.
Institutional Response: Oracle Acknowledges the Incident and Calls for System Updates
On October 2nd, Oracle issued an official statement acknowledging that multiple clients of its E-Business Suite had been contacted by attackers with extortion emails linked to a security breach. While Oracle refrained from revealing the exact number of affected organizations or the total volume of compromised data, it confirmed that the exploited vulnerabilities had already been previously identified and mitigated through patches released in July 2025.
The most concerning fact about the Oracle incident is that many affected companies had not applied those patches in time, a situation that facilitated the success of the attack. Oracle, aware of the impact, has reinforced its communication channels with clients, offering technical assistance for the rapid application of updates, as well as gathering technical evidence to collaborate with ongoing international investigations.
An Oracle spokesperson stated that they are actively collaborating with private security partners, cloud service providers, and government agencies to contain the threat’s spread and minimize its effects.
Google, through its cybersecurity division, also issued an alert on October 1st, confirming the detection of a massive extortion campaign linked to the Oracle EBS vulnerability. It described it as a “high-volume” attack on Oracle and urged all platform users to verify patch application, review possible unauthorized accesses, and strengthen their internal security measures.
Impact and Consequences: Beyond the Economic Ransom
The effects of this extortion campaign against Oracle go far beyond the millions of dollars in ransom demanded. Affected organizations face a wide range of risks and consequences that can compromise their future on multiple fronts.
First, there is the loss of trust from clients, business partners, and shareholders. The exposure of confidential information and the inability to protect critical data can cause irreparable damage to corporate reputation, especially in sectors where privacy and information integrity are vital, such as banking, healthcare, or manufacturing. Credibility recovery can take years and require significant investments in communication and security reinforcement.
On the other hand, the leak of sensitive Oracle data can result in severe legal sanctions, especially under strict regulations such as the General Data Protection Regulation (GDPR) in Europe or the HIPAA Act in the United States. Depending on the type of compromised data, regulatory authorities may impose multimillion-dollar fines, order exhaustive audits, and, in some cases, restrict business operations until compliance is verified.
Additionally, there are further legal risks from employees or clients whose personal data has been exposed, including lawsuits for negligence or breach of contractual obligations. The combination of these factors generates an environment of uncertainty and crisis that can affect the financial and operational stability of companies.
Finally, internally, organizations must bear costs related to forensic investigations, restoration of affected systems, implementation of new security measures, and constant monitoring to detect subsequent malicious activity. In many cases, these indirect and operational expenses far exceed the ransom amount demanded, impacting profitability and future investment capacity.
Cyber Hygiene, Resilience, and Preparedness: The Major Challenges of Today
This incident at Oracle has once again highlighted a recurring and worrying pattern in the corporate world: the lack of basic cyber hygiene. Despite having advanced technological resources and modern security solutions, many companies like Oracle continue to fail in fundamental aspects of digital protection, such as rigorous access control, proper identity management, efficient network segmentation, and, fundamentally, the timely application of critical patches.
There is a mistaken perception in many IT departments that sees ERP software as an “untouchable” piece due to its importance for daily operations. This view leads to postponing the implementation of corrective measures or updates, increasing exposure to attacks. The increase in attacks targeting critical enterprise platforms shows that traditional approaches, focused exclusively on endpoint protection or antivirus use, are no longer enough.
Modern cyber resilience demands an integrated combination of advanced technologies, strong internal policies, continuous monitoring, and ongoing staff training. It is essential that organizations design and regularly test incident response plans, establish automated update processes, and foster a security culture that permeates from top management to every employee. Only then can they face the complexity and dynamism of current threats.
The extortion campaign attributed to Cl0p against Oracle EBS should not be seen as an isolated event but as another chapter in the constant evolution of digital threats targeting complex and critical enterprise environments. As attackers perfect their methods and select targets with high financial and operational impact, organizations cannot afford to maintain a passive or reactive posture.
The protection of information, system integrity, and business continuity must be integrated as inseparable elements of corporate strategy. The Oracle EBS case demonstrates that even the most robust systems can become weak points if they do not receive adequate maintenance, permanent monitoring, and proactive risk management.
It is essential to abandon the mindset of “patch only when something fails” and move towards a preventive model based on continuous risk assessment. In today’s digital world, inaction not only exposes sensitive data: it exposes the entire viability of the business and the trust placed by clients and strategic partners. If you want to learn about the most advanced security measures to prevent cases like Oracle’s, write to us at [email protected]. Our expert team is ready to advise you.
EN 
ES