Extortion emails received by Business Suite customers & confirmed by Oracle 

Written By Joey Bianco

In late September 2025, Oracle E-Business Suite (EBS) customers found themselves at the center of a new wave of cyber extortion activity linked to the notorious Clop ransomware group. While Oracle has not confirmed attribution, reports indicate that multiple organizations received extortion emails demanding multimillion dollar ransoms following alleged data theft. This incident underscores a growing trend where attackers exploit public vulnerability disclosures and enterprise software exposures to execute high stakes extortion campaigns. The following analysis breaks down the timeline, technical vectors, and expert insights surrounding the EBS extortion event, and offers actionable guidance for organizations aiming to stay ahead of such threats.

Incident Overview 

  • Date disclosed: October 2, 2025 

  • Affected product: Oracle E-Business Suite (EBS) 

  • Incident type: Extortion campaign with possible ransomware links 

  • Threat actor: Clop ransomware group (claimed responsibility, though Oracle has not confirmed attribution) 

Details 

  • Oracle confirmed that some EBS customers received extortion emails claiming data theft. 

  • The campaign surfaced publicly on Sept. 29, when emails were sent to executives at multiple organizations. 

  • Attackers showed screenshots as “proof” of compromise and issued ransom demands up to $50M

  • Reconnaissance and initial access likely began weeks earlier, around the July 2025 Critical Patch Update (CPU) release. 

Technical Aspects 

  • Vulnerabilities involved: Oracle addressed 9 EBS flaws in July 2025 CPU. 

  • Three medium-severity CVEs are remotely exploitable without credentials: 

  • CVE-2025-30745 

  • CVE-2025-30746 

  • CVE-2025-50107 

  • Attackers appear not to be directly exploiting the CVEs, but instead: 

  • Abusing Oracle EBS default password reset functions on internet-facing portals to gain valid credentials. 

Statements 

  • Oracle (Rob Duhart, CISO): Strongly recommends immediate patching and use of Oracle’s security checker to confirm protection. 

  • GTIG (Google Threat Intelligence Group): Confirmed Clop began sending extortion emails Sept. 29. 

  • Damon Small (Xcape, Inc.): Stressed that attackers move quickly once vulnerabilities are disclosed—delayed patching puts organizations at risk. 

  • Certis Foster (Deepwatch): Warned that MFA and SSO are critical for exposed EBS applications; attackers prepared for weeks, sending extortion emails from hundreds of compromised accounts. 

Mitigation Guidance 

  • Apply all July 2025 patches immediately (and any subsequent ones). 

  • Run Oracle’s patch checker to confirm deployment. 

  • Enforce MFA and SSO for any externally accessible EBS applications. 

  • Monitor for suspicious logins tied to abused password resets. 

  • Check email and account logs for signs of compromise or extortion attempts. 

The Oracle EBS extortion campaign underscores how essential it is to stay ahead of emerging threats through proactive patching, monitoring, and expert oversight. At iArch Solutions, we know how challenging it can be for finance and IT leaders to balance daily operations with security demands. Our Managed Services team takes that burden off your plate by keeping your Oracle environments secure, optimized, and reliable. With our senior experts managing your systems, you can focus on growth and innovation while we ensure your technology is always protected and performing at its best.

Schedule a Discovery Call
Joey Bianco
Next

AWS Summit Insights: How Agentic AI and FinOps Are Changing the Enterprise