Mandiant and Google are monitoring a brand new extortion marketing campaign the place executives at a number of firms acquired emails claiming that delicate information was stolen from their Oracle E-Enterprise Suite techniques
Based on Genevieve Stark, Head of Cybercrime and Info Operations Intelligence Evaluation at GTIG, the marketing campaign started in late September.
“This exercise started on or earlier than September 29, 2025, however Mandiant’s consultants are nonetheless within the early levels of a number of investigations, and haven’t but substantiated the claims made by this group,” Stark stated.
Charles Carmakal, CTO of Mandiant – Google Cloud, said that the extortion emails are being despatched from numerous compromised e-mail accounts.
“We’re at the moment observing a high-volume e-mail marketing campaign being launched from tons of of compromised accounts and our preliminary evaluation confirms that not less than one in all these accounts has been beforehand related to exercise from FIN11, a long-running financially motivated risk group recognized for deploying ransomware and fascinating in extortion,” Carmakal defined.
Mandiant and GTIG report that the emails include contact addresses recognized to be listed on the Clop ransomware gang’s information leak website, indicating a attainable hyperlink to the extortion group.
Nevertheless, Carmakal says that whereas the ways are much like Clop’s earlier extortion campaigns and the e-mail addresses point out a possible hyperlink, there’s not sufficient proof to find out if information has truly been stolen.
Mandiant and GTIG advocate that organizations receiving these emails examine their environments for uncommon entry or compromise of their Oracle E-Enterprise Suite platforms.
BleepingComputer contacted the Clop ransomware gang to verify if they’re behind the extortion emails, however has not acquired a response at the moment.
We’ve additionally contacted Oracle to find out if they’re conscious of any latest zero-day exploitation which will have led to the theft of information.
When you’ve got any info concerning this incident or some other undisclosed assaults, you’ll be able to contact us confidentially through Sign at 646-961-3731 or at suggestions@bleepingcomputer.com.
Who’s the Clop extortion gang?
The Clop ransomware operation, additionally tracked as TA505, Cl0p, and FIN11, launched in March 2019 when it started concentrating on enterprise networks with a variant of the CryptoMix ransomware.
Like different ransomware gangs, Clop members breach company networks, steal information, after which deploy ransomware to encrypt techniques.
The stolen information and encrypted recordsdata are then used as leverage to drive firms to pay a ransom demand in alternate for a decryptor and to forestall the leaking of the stolen information.
Whereas the group continues to be recognized to deploy ransomware, since 2020, they’ve shifted to exploiting zero-day vulnerabilities in safe file switch platforms to steal information.
A few of their most notable assaults embrace:
The latest marketing campaign related to Clop was in October 2024, when the risk actors exploited two Cleo file switch zero-days (CVE-2024-50623 and CVE-2024-55956) to steal information and extort firms.
The U.S. State Division at the moment provides a $10 million reward by way of its Rewards for Justice program for info linking Clop’s ransomware actions to a overseas authorities.
Be a part of the Breach and Assault Simulation Summit and expertise the way forward for safety validation. Hear from prime consultants and see how AI-powered BAS is reworking breach and assault simulation.
Do not miss the occasion that may form the way forward for your safety technique
