Google Warns Hackers Exploited Oracle Apps to Steal Data and Launch $50 Million Extortion Campaign

A fresh wave of cyberattacks has put some of the world’s biggest companies on high alert. Google has revealed that hackers tied to the infamous Cl0p ransomware group are exploiting Oracle’s widely used E-Business Suite to steal corporate data and demand massive ransoms. The campaign began in late September and has already seen ransom requests climb to eight figure sums, with some victims receiving threats as high as 50 million dollars.

How the Attack Unfolded

Oracle’s E-Business Suite is critical software that powers everything from finance to supply chains and customer management for global firms. Hackers claim to have gained access to these systems and stolen sensitive files. Victims have received screenshots and file listings as proof that their data was taken, making the extortion threats even more credible. Cybersecurity firm Halcyon confirmed that several companies have been targeted and that the ransom demands in recent days have reached unprecedented levels.

Google’s Findings and the Cl0p Connection

Google’s Threat Intelligence Group traced the extortion emails back to September 29. The attackers sent messages through hijacked third party email accounts, with some addresses linked to Cl0p’s previous campaigns. Halcyon researchers believe the hackers gained access by exploiting Oracle’s default password reset process on public facing portals, though some experts suspect a deeper software flaw may also be involved.

The extortion emails were described as poorly written, filled with spelling and grammar mistakes, but still carried the intimidating demand for payment. The messages included contact details that matched those on Cl0p’s dark web leak site, where the group typically publishes stolen data if victims refuse to pay.

Oracle’s Silence and a History of Attacks

Oracle has declined to comment on the breach reports so far. For many security experts, the incident echoes Cl0p’s earlier attacks, including the 2023 MOVEit data theft operation that compromised companies such as Shell, British Airways parent IAG and the BBC. That campaign alone affected hundreds of firms across multiple industries.

Cl0p is considered one of the world’s most persistent ransomware groups, with the US Cybersecurity and Infrastructure Security Agency warning last year that the gang had successfully infiltrated thousands of organisations through phishing, mass email campaigns and large scale exploits.

A Persistent Global Threat

The new Oracle based attacks underline how cybercriminals are moving beyond simple phishing emails to exploit enterprise level platforms that hold vast amounts of sensitive information. With ransom demands now hitting tens of millions of dollars, the pressure on businesses to strengthen their defences has never been greater. Security experts are urging companies to review their Oracle systems, update protections and educate staff about the tactics being used to isolate and pressure victims.

The scale of this campaign shows that cyber extortion is evolving into one of the most dangerous threats to global business, combining technical exploitation with psychological warfare to push victims into paying.

Follow Tech Moves on Instagram and Facebook for more updates on cybersecurity, data privacy, and the latest developments in technology.