Oracle Breach: Ransom Demands Keep Coming Months Later

What Happened in the Oracle E-Business Suite Hack? 

A sprawling extortion campaign tied to the CL0P brand has targeted organizations that run Oracle’s E-Business Suite (EBS), with attackers claiming they stole data from victims’ EBS environments and then pressuring executives for payment. The campaign surfaced publicly in late September 2025 and continued into January 2026, with reports of ongoing ransom demands and new victim notifications.

Google Threat Intelligence Group (GTIG) and Mandiant said the extortion emails began on or before September 29, 2025, and followed “months of intrusion activity,” with exploitation activity observed as early as August 9, 2025, plus suspicious activity going back to July 10, 2025.

Oracle has confirmed that customers received extortion emails, while differing accounts remain about whether attackers relied on already-patched flaws or a then-unpatched weakness later tracked as CVE-2025-61882.

Timeline: From First Access To Latest Update

GTIG described a two-part pattern: intrusions into customer EBS environments, then a large volume extortion email push aimed at executives. Public filings and media reports show victim notifications and litigation unfolding over subsequent months.

Key dated milestones, based on GTIG reporting, U.S. vulnerability records, and state breach-notice filings:

• July 10, 2025: GTIG said suspicious activity tied to EBS targeting dates back to July 10, 2025. A Maine breach-notice entry for The Washington Post also lists 07/10/2025 as the breach occurrence date.
• August 9, 2025: GTIG said exploitation consistent with the campaign occurred as early as Aug. 9, 2025. Maine breach-notice entries list 08/09/2025 as the breach occurrence date for organizations such as LKQ and Cox Enterprises.
• September 29, 2025: GTIG said the extortion email campaign began on or before Sept. 29, 2025. Reuters also reported Google’s warning about extortion emails around this time.
• October 3, 2025: Reuters reported Oracle acknowledged customers had received extortion emails and cited ransom demands ranging into the millions and up to $50 million, according to Halcyon.
• October 4 to October 5, 2025: Public vulnerability records show CVE-2025-61882 published on Oct. 5, 2025; Oracle issued an alert and guidance around the same period, according to GTIG’s account of Oracle’s communications.
• October 6, 2025: The U.S. National Vulnerability Database (NVD) entry for CVE-2025-61882 shows it was added to CISA’s Known Exploited Vulnerabilities catalog on 10/06/2025, with a federal remediation due date of 10/27/2025.
• October 10 to October 11, 2025: GTIG published a detailed report on October 10, 2025, and noted Oracle released another patch on Oct. 11 addressing CVE-2025-61884.
• November to December 2025: Victim notifications expanded. Maine breach-notice pages show consumer notification dates such as 11/07/2025 (GlobalLogic), 11/12/2025 (The Washington Post), 11/20/2025 (Cox Enterprises), and 12/15/2025 (LKQ).
• December 5, 2025: Politico reported a former Washington Post employee filed a class action suit tied to the incident, citing exposure of sensitive employee data and seeking damages and security changes.
• January 14, 2026: The Wall Street Journal reported the Oracle-related hack was still generating ransom demands months later.

What Data Or Systems Were Affected

Oracle E-Business Suite is an enterprise platform that can store finance, procurement, HR, and operational records, which makes it attractive for data-theft extortion. GTIG said the actor claimed theft of “sensitive data” from EBS environments and, in some cases, exfiltrated a significant amount of data.

Public breach-notice filings indicate personal information exposure in at least some cases. For example, Maine’s breach-notice entry for The Washington Post lists a total of 9,720 affected people and says identity protection services were offered for 12 months.

In litigation tied to The Washington Post incident, Politico reported allegations that sensitive employee information such as Social Security numbers and banking information was exposed, though the outlet declined public comment in that account.

Who Was Responsible (Confirmed Vs Alleged)

GTIG attributed the extortion push to a financially motivated actor operating “under the CL0P brand,” with the actor claiming affiliation with the extortion brand rather than GTIG making a definitive public attribution to a single tracked group.

Reuters reported Google’s description of a ransomware group claiming affiliation with “cl0p,” while noting limited evidence at the time to verify all claims in extortion emails.

GTIG also discussed overlap signals with clusters historically associated with the CL0P leak site, including references to FIN11 and similarities to tooling seen in suspected FIN11-linked activity. GTIG said ongoing analysis may clarify relationships among clusters and the current campaign.

How The Attack Worked

GTIG said the extortion campaign launched as a high-volume email operation sent from “hundreds, if not thousands” of compromised third-party accounts, with the likely source listed as credentials pulled from infostealer logs sold in underground markets.

To support claims, GTIG said the actor provided legitimate file listings from victim EBS environments, with data dating back to mid-August 2025. The report also discussed multiple exploit paths targeting EBS components such as /OA_HTML/configurator/UiServlet and /OA_HTML/SyncServlet, plus post-exploitation tooling that operated largely in memory.

On the vulnerability side, CVE-2025-61882 is described in NVD as a critical flaw affecting Oracle E-Business Suite supported versions 12.2.3–12.2.14, allowing an unauthenticated attacker with network access over HTTP to compromise Oracle Concurrent Processing (BI Publisher Integration), with potential “takeover” impact and a 9.8 CVSS v3.1 base score.

A second issue, CVE-2025-61884, also affects EBS supported versions 12.2.3–12.2.14 and was later added to CISA’s exploited-vulnerability catalog with a due date shown in NVD of 11/10/2025.

Company Response And Customer Remediation

Oracle has said customers received extortion emails and advised clients to upgrade, with Reuters reporting Oracle’s view that attackers may have exploited previously known software vulnerabilities.

GTIG documented a sequence of Oracle communications and patches, including emergency patches referenced around Oct. 4, 2025, plus a follow-on patch on Oct. 11 that GTIG assessed would likely address known exploitation chains.

Customer remediation has varied across organizations, but state filings show a common pattern of credit monitoring and identity protection offers. Maine’s breach-notice entries list examples such as 12 months of IDX services (The Washington Post and Cox Enterprises) and 24 months of TransUnion-related monitoring and restoration services (GlobalLogic and LKQ).

Government, Law Enforcement, And Regulator Actions

U.S. government vulnerability tracking reflects active exploitation. NVD’s record for CVE-2025-61882 shows it entered CISA’s Known Exploited Vulnerabilities catalog on 10/06/2025, with a remediation due date of 10/27/2025 and standard language urging mitigations per vendor instructions or discontinuation if mitigations are unavailable.

NVD’s record for CVE-2025-61884 also shows inclusion in the known-exploited list, with a listed “date added” of 10/20/2025 and a due date of 11/10/2025.

Separately, breach-notice portals such as Maine’s consumer protection site have served as a public disclosure channel for organizations reporting impacts and notifying affected individuals, including totals affected and notification dates.

Financial, Legal, And Business Impact

Ransom demands tied to the campaign have reached very large figures. Reuters cited Halcyon’s Ransomware Research Center, reporting extortion amounts ranging from millions up to $50 million in at least one case.

Beyond ransom pressure, incident response and customer notification costs can add up quickly for organizations running large ERP footprints. State filing entries show multi-month delays between breach occurrence and discovery in several cases, which tends to increase forensic scope and the number of people notified. For example, Maine’s entry for The Washington Post lists a breach occurrence date of 07/10/2025 and a discovery date of 10-27-2025, plus a consumer notification date of 11/12/2025.

Legal exposure has also followed. Politico reported a class action complaint filed on December 5, 2025, tied to the Washington Post incident, seeking damages and changes in security practices.

What Remains Unclear About the Oracle E-Business Suite Hack Still Generating Ransom Demands

The campaign’s total victim count remains uncertain in public reporting, in part because not all impacted organizations have confirmed incidents publicly. Reuters reported Google’s characterization of the campaign as “high volume,” and later noted estimates that more than 100 companies could be affected, but a complete list has not been published.

Key technical questions also remain unsettled in public accounts. Oracle’s public posture cited possible exploitation of already-known vulnerabilities, while GTIG assessed activity consistent with a zero-day tied to CVE-2025-61882 and discussed multiple exploit chains observed in the wild.

Finally, extortion emails do not always prove data theft, and Reuters noted Google said it lacked sufficient evidence at the time to verify all attacker claims. GTIG said it had observed cases with significant data exfiltration, which suggests a mixed picture across targets.

Who Were the Affected Parties

Organizations running Oracle EBS, and their employees and customers whose data sat in HR, finance, and other business systems were hit by the Oracle EBS breach. Public reporting has cited more than 100 impacted organizations.

Examples named in reporting include:

• Harvard University
• Envoy Air (American Airlines subsidiary)
• Cox Enterprises
• University of Phoenix
• The Washington Post (employee data)
• Korean Air related unit (employee data)

Why This Incident Matters

The EBS campaign fits a playbook that has driven several of the highest-impact extortion waves in recent years: attackers focus on widely deployed enterprise software, take data, then apply pressure without necessarily deploying encrypting ransomware. GTIG said the actor used compromised third-party mail accounts at scale and aimed messages at senior executives, which can compress decision cycles during an incident.

It also shows how difficult vulnerability attribution and patch-timing clarity can get during an active incident. Public narratives differed on whether exploitation relied on previously patched flaws or an unpatched weakness later formalized as CVE-2025-61882, and defenders had to act quickly as government catalogs reflected exploitation in the wild.

Transparency note: This story was drafted with assistance from an AI language model used for organizing the timeline, comparing dates across the cited sources, and flagging conflicts for review. A human review step checked the draft for consistency, attribution, and required structure.

How Bright Defense Helps Reduce Risk 

Bright Defense can help reduce exposure to campaigns like this with targeted testing of ERP systems and internet-facing services, paired with continuous compliance checks that track patching, identity controls, and hardening. 

Sources

1. Wall Street Journal — Oracle Hack Still Generating Ransom Demands (January 14, 2026)
   https://www.wsj.com/articles/oracle-hack-still-generating-ransom-demands-06887763
2. Reuters — Oracle says hackers are trying to extort its customers (October 3, 2025)
   https://www.reuters.com/business/oracle-says-hackers-are-trying-extort-its-customers-2025-10-03/
3. Reuters — Google says hackers are sending extortion emails to executives (October 2, 2025)
   https://www.reuters.com/business/google-says-hackers-are-sending-extortion-emails-executives-2025-10-02/
4. Reuters — Washington Post says it is among victims of cyber breach tied to Oracle software (November 6, 2025)
   https://www.reuters.com/business/media-telecom/washington-post-says-it-is-among-victims-cyber-breach-tied-oracle-software-2025-11-06/
5. Google Cloud Blog (GTIG and Mandiant) — Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign (October 10, 2025)
   https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitation/
6. NVD (NIST) — CVE-2025-61882 detail page (published October 5, 2025)
   https://nvd.nist.gov/vuln/detail/CVE-2025-61882
7. NVD (NIST) — CVE-2025-61884 detail page (includes KEV dates)
   https://nvd.nist.gov/vuln/detail/CVE-2025-61884
8. Oracle — Security Alert for CVE-2025-61882
   https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
9. Oracle — Security Alert for CVE-2025-61884
   https://www.oracle.com/security-alerts/alert-cve-2025-61884.html
10. Oracle — Critical Patch Update Advisory (October 2025)
    https://www.oracle.com/security-alerts/cpuoct2025.html
11. Maine Attorney General Data Breach Notifications — The Washington Post filing (consumer notice November 12, 2025, total affected 9,720)
    https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/12a31419-4ed0-41ba-a045-2593908ba368.html
12. Maine Attorney General Data Breach Notifications — GlobalLogic filing (consumer notice November 7, 2025, total affected 10,471)
    https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/a69e0001-a0f8-46d9-a49d-cb01159afec2.html
13. Maine Attorney General Data Breach Notifications — Cox Enterprises filing (consumer notice November 20, 2025, total affected 9,479)
    https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/314b7585-15e4-4574-b102-6593275436d2.html
14. Maine Attorney General Data Breach Notifications — LKQ filing (consumer notice December 15, 2025, total affected 9,070)
    https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/0f46ebfd-5508-426d-88f9-3ad07e6ef483.html
15. Politico — Former Washington Post employee launches class action suit after data breach (December 5, 2025)
    https://www.politico.com/news/2025/12/05/washington-post-lawsuit-data-breach-00678978
16. SecurityWeek — Oracle says known vulnerabilities possibly exploited in extortion attacks (October 10, 2025)
    https://www.securityweek.com/oracle-says-known-vulnerabilities-possibly-exploited-in-recent-extortion-attacks/
17. TechCrunch — Hackers are sending extortion emails to executives after claiming Oracle apps data breach (October 2, 2025)
    https://techcrunch.com/2025/10/02/hackers-are-sending-extortion-emails-to-executives-after-claiming-oracle-apps-data-breach/
18. TechRepublic — Oracle extortion case cites demands up to $50 million (October 2, 2025)
    https://www.techrepublic.com/article/news-oracle-e-business-suite-breach-ransom-extortion-clop/