Cyber Security

Google and Oracle face extortion campaign as cybercriminals target enterprise systems

03 October 2025
3 minutes
Google and Oracle are investigating a major cyber extortion campaign targeting executives and enterprise customers, after attackers claiming ties to the Cl0p ransomware gang began sending ransom emails alleging theft of data from Oracle’s E-Business Suite.

The campaign, first reported by Reuters, surfaced in late September and has since grown into a global operation affecting hundreds of organisations.

Google’s security teams, including Mandiant and its Threat Intelligence Group (GTIG), confirmed that the attackers are using compromised email accounts to send highly personalised extortion demands to corporate leaders.

Capacity Banners 970×906 (1).jpg
According to Google, the messages allege that the attackers have exfiltrated sensitive customer data from Oracle environments and threaten to leak it unless payment is made. However, Google says it currently has “insufficient evidence” to verify that such data theft has occurred.

The company said it began tracking the campaign around 29 September and has identified patterns linking it to FIN11, a financially motivated threat group associated with the Cl0p ransomware operation. The attackers are believed to be using previously compromised systems to distribute emails at scale.

In a statement, Google said its priority is to “protect customers and the broader ecosystem” and urged organisations to monitor for suspicious access within Oracle E-Business environments, review recent login activity, and ensure that all available security patches have been applied.

Oracle, meanwhile, confirmed that some of its customers using E-Business Suite have received extortion messages but said it has not found evidence that its own systems were breached. The company advised clients to “maintain up-to-date security configurations” and apply the latest patches as a precaution.

Cybersecurity researchers say the campaign bears hallmarks of modern extortion tactics, which combine data theft claims, credential compromise, and social engineering to create urgency without necessarily having access to the alleged material. Some reported ransom demands have ranged from seven to eight figures, with one reaching up to US$50 million, according to BankInfoSecurity.

Earlier this year, Oracle faced separate cyber incidents involving legacy environments and healthcare-related systems inherited from its Cerner acquisition. In those cases, the company said unauthorised actors accessed old credentials and copied patient data from specific servers, prompting an FBI investigation.

Google, for its part, has recently expanded its AI-based cyber defence tools, including the launch of ransomware detection for Google Drive desktop clients. The new feature uses AI models to identify suspicious encryption activity and halt syncing before malicious software can propagate across connected devices.

While neither Google nor Oracle has confirmed a breach of their core platforms, both companies are urging heightened vigilance. Google’s Mandiant division continues to track the campaign’s scope, while Oracle says it is “working closely with customers and partners” to ensure systems remain protected.

Top Articles