Ransomware hackers claim Oracle app breach, tell victims their data has been stolen

Hackers claim to have stolen Oracle E-Business Suite data, demanding ransom from executives
Campaign linked to FIN11 and possibly Cl0p, using hundreds of compromised email accounts
No proof of data theft yet; researchers urge checking Oracle logs for suspicious activity

Cybercriminals are mailing executives at various American organizations, claiming to have stolen sensitive files from their Oracle E-Business Suite systems, and most likely demanding payment in exchange for keeping the files out of public reach.

“This activity began on or before September 29, 2025, but Mandiant’s experts are still in the early stages of multiple investigations, and have not yet substantiated the claims made by this group,” said Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at Google’s Threat Intelligence Group (GTIG), which along with Mandiant, have been tracking the campaign since late September 2025.

In other words, there is still no evidence that what these hackers are saying is true. Sometimes, crooks would simply try to bluff their way into being sent money, and this certainly wouldn’t be the first time it happened.

Links to Fin11 and Cl0p

What makes this campaign interesting is its link to different hacking collectives.

According to Charles Carmakal, CTO of Mandiant – Google Cloud, the emails are being sent from hundreds of compromised email accounts – including one known to belong to a financially-motivated threat actor.

“We are currently observing a high-volume email campaign being launched from hundreds of compromised accounts and our initial analysis confirms that at least one of these accounts has been previously associated with activity from FIN11, a long-running financially motivated threat group known for deploying ransomware and engaging in extortion,” Carmakal said.

At the same time, the emails held contact addresses that were previously listed on Cl0p’s data leak site, so it is possible that both groups are involved in the campaign, or are simply sharing resources. The evidence is not compelling enough to confirm the links, though.