Mandiant and Google are monitoring a brand new extortion marketing campaign the place executives at a number of firms acquired emails claiming that delicate knowledge was stolen from their Oracle E-Enterprise Suite programs
Based on Genevieve Stark, Head of Cybercrime and Data Operations Intelligence Evaluation at GTIG, the marketing campaign started in late September.
“This exercise started on or earlier than September 29, 2025, however Mandiant’s consultants are nonetheless within the early phases of a number of investigations, and haven’t but substantiated the claims made by this group,” Stark mentioned.
Charles Carmakal, CTO of Mandiant – Google Cloud, said that the extortion emails are being despatched from a lot of compromised electronic mail accounts.
“We’re at present observing a high-volume electronic mail marketing campaign being launched from a whole bunch of compromised accounts and our preliminary evaluation confirms that no less than one in all these accounts has been beforehand related to exercise from FIN11, a long-running financially motivated menace group recognized for deploying ransomware and interesting in extortion,” Carmakal defined.
Mandiant and GTIG report that the emails include contact addresses recognized to be listed on the Clop ransomware gang’s knowledge leak website, indicating a doable hyperlink to the extortion group.
Nevertheless, Carmakal says that whereas the techniques are much like Clop’s earlier extortion campaigns and the e-mail addresses point out a possible hyperlink, there may be not sufficient proof to find out if knowledge has really been stolen.
Mandiant and GTIG suggest that organizations receiving these emails examine their environments for uncommon entry or compromise of their Oracle E-Enterprise Suite platforms.
BleepingComputer contacted the Clop ransomware gang to verify if they’re behind the extortion emails, however has not acquired a response presently.
We now have additionally contacted Oracle to find out if they’re conscious of any current zero-day exploitation that will have led to the theft of knowledge.
You probably have any info relating to this incident or every other undisclosed assaults, you’ll be able to contact us confidentially through Sign at 646-961-3731 or at ideas@bleepingcomputer.com.
Who’s the Clop extortion gang?
The Clop ransomware operation, additionally tracked as TA505, Cl0p, and FIN11, launched in March 2019 when it started focusing on enterprise networks with a variant of the CryptoMix ransomware.
Like different ransomware gangs, Clop members breach company networks, steal knowledge, after which deploy ransomware to encrypt programs.
The stolen knowledge and encrypted recordsdata are then used as leverage to pressure firms to pay a ransom demand in trade for a decryptor and to stop the leaking of the stolen knowledge.
Whereas the group continues to be recognized to deploy ransomware, since 2020, they’ve shifted to exploiting zero-day vulnerabilities in safe file switch platforms to steal knowledge.
A few of their most notable assaults embrace:
The newest marketing campaign related to Clop was in October 2024, when the menace actors exploited two Cleo file switch zero-days (CVE-2024-50623 and CVE-2024-55956) to steal knowledge and extort firms.
The U.S. State Division at present affords a $10 million reward by its Rewards for Justice program for info linking Clop’s ransomware actions to a overseas authorities.
Be a part of the Breach and Assault Simulation Summit and expertise the way forward for safety validation. Hear from high consultants and see how AI-powered BAS is reworking breach and assault simulation.
Do not miss the occasion that may form the way forward for your safety technique
