Executives at major organizations worldwide are once again on high alert after Alphabet Inc.’s Google and Oracle confirmed a sophisticated email extortion campaign targeting users of Oracle’s widely deployed E-Business Suite. The campaign, which began circulating in late September 2025, sees hackers claiming to have stolen sensitive corporate data and demanding ransoms as high as $50 million, according to reports from Reuters and Bloomberg. The attackers, who have linked themselves to the notorious Cl0p ransomware gang, are using personalized, high-pressure tactics to prey on top-level executives and IT leaders across industries.
In a statement cited by Reuters, Google revealed that the extortion emails are being sent to “executives at numerous organizations claiming to have stolen sensitive data from their Oracle E-Business Suite.” The hackers threaten to leak the allegedly stolen information unless their ransom demands—often payable in cryptocurrency—are met. These emails are not generic spam; they are carefully crafted with company-specific details, executive roles, and even references to recent business activity, making them all the more convincing and alarming for their recipients.
Oracle’s E-Business Suite is no ordinary software. As Bloomberg notes, it underpins critical operations for thousands of companies worldwide, including financial management, supply chain logistics, and customer relationship management. The potential fallout from a breach—real or perceived—could be catastrophic, risking not just financial losses but also brand reputation and customer trust.
Despite the hackers’ claims, Google has stressed that it “does not currently have sufficient evidence to definitively assess the veracity of these claims.” In other words, there is no confirmed proof that any sensitive data has actually been stolen, raising the possibility that the campaign is a classic case of psychological manipulation—an attempt to bluff organizations into paying up out of fear and urgency.
Oracle, for its part, has acknowledged the seriousness of the situation. The company confirmed the existence of the email extortion campaign, flagged by Google’s Mandiant cybersecurity team, and has issued a direct advisory to business leaders. CEOs and CIOs are being urged to alert their security teams immediately about any suspicious emails or unauthorized access attempts, review and audit Oracle Cloud configurations (especially for Fusion and NetSuite applications), and avoid any engagement with the extortionists. Oracle also recommends reporting all incidents to law enforcement and cybersecurity authorities and educating staff about phishing and social engineering tactics, particularly those targeting executives.
The timing of the campaign appears calculated to maximize pressure. According to Google’s Mandiant, the emails coincided with the period of quarterly result announcements—a time when executives are already under significant scrutiny and stress. By introducing an element of urgency and fear, the attackers hope to force quick, panicked decisions, often leading to ransom payments even when no breach has occurred.
Cybersecurity firm Halcyon, which is assisting in the response, reported that ransom demands have reached seven- and eight-figure sums, with some as high as $50 million. Cynthia Kaiser, vice president at Halcyon’s ransomware research centre, told Bloomberg, “We have seen Cl0p demand huge seven- and eight-figure ransoms in the last few days.” The firm also confirmed that at least one company has acknowledged its systems were compromised, and multiple victims have received proof of intrusion in the form of screenshots and file listings.
The technical details of the breaches are still being unraveled. Halcyon and other cybersecurity experts believe the hackers gained access by exploiting Oracle’s default password-reset process on internet-facing portals. However, there is also speculation that an underlying software flaw may have been used. The attackers reportedly launched the campaign using hundreds of hijacked third-party email accounts, making it harder for security teams to block or trace the source. The ransom notes themselves were riddled with spelling and grammar mistakes—a hallmark of Cl0p’s previous operations—and included contact details matching those on the group’s dark web leak site.
Cl0p’s involvement is no surprise to those familiar with the cybercrime landscape. The gang has a long and infamous history, including the 2023 exploitation of a vulnerability in the MOVEit file-transfer software, which led to data thefts from hundreds of major companies such as Shell, British Airways, and the BBC. The US Cybersecurity and Infrastructure Security Agency (CISA) warned last year that Cl0p had compromised thousands of organizations worldwide through phishing and mass email attacks, calling it one of the largest phishing and malspam distributors globally.
As Reuters points out, the mere threat of a breach—even if unsubstantiated—can create significant financial and reputational risks for organizations. In the high-stakes world of corporate cybersecurity, perception can be as damaging as reality. Some companies, eager to avoid negative publicity or regulatory scrutiny, may pay ransoms even when there is no concrete evidence of a data leak. This not only emboldens cybercriminals but also perpetuates the cycle of extortion.
Oracle’s advisory underscores the importance of vigilance and preparation. The company emphasized that “even if breach claims are false, the psychological manipulation and reputational risk posed by these emails are real.” Cybersecurity experts echo this sentiment, urging companies to invest in regular network security checks, multi-layered security protocols, and thorough employee education programs. As the current campaign demonstrates, the weakest link is often human: a single click on a convincing email can open the door to disaster.
So far, Oracle has declined to comment on the specifics of the alleged breaches, and Google has not disclosed how many organizations or individuals have been targeted. The full scope of the campaign remains unclear, but the coordinated response from leading technology and cybersecurity firms highlights the seriousness with which the threat is being treated.
For businesses relying on Oracle’s E-Business Suite, the message is clear: stay alert, follow best practices, and don’t let fear drive hasty decisions. The digital battlefield is constantly shifting, and while the latest attack may prove to be more smoke than fire, the risks—both real and psychological—are all too tangible in today’s interconnected world.
