A high-volume campaign of extortion emails that began around the end of September is targeting executives and IT teams at organizations that use Oracle E-Business Suite. The messages claim the attackers exfiltrated sensitive data from EBS instances and demand large ransoms. Oracle has confirmed that some EBS customers received extortion emails and has urged customers to apply updates and follow guidance from the vendor.

Public reporting and vendor alerts indicate the campaign surfaced publicly at the end of September, with security teams observing a surge of emailed extortion attempts on or before September 29. The extortion brand and contact addresses included in the emails have connections to the CL0P data leak infrastructure according to multiple investigators, though at the time of reporting the claims of stolen data had not been independently verified by all parties. Security firms monitoring the situation have reported ransom demands in the millions, with at least one reported demand as high as $50 million. Treat the messages as high risk even while verification is pending.

Preliminary analysis from incident responders and security vendors points toward two frequently observed patterns in this campaign: first, the initial access vector in many cases appears to be compromised email accounts; second, attackers appear to be abusing application login or password reset flows on internet-exposed EBS portals to obtain valid credentials. At this early stage investigators say there is not a single, universally confirmed malware family tied to every message, which means defenders must assume both credential-based takeover and direct application-level exploitation are possible.

Why this matters for global organizations: Oracle E-Business Suite often contains payroll, procurement, financial, HR and supply-chain records. Successful compromise of EBS can expose high-value personal and commercial data and give attackers leverage for large extortion demands. Any organization that runs EBS or integrates it with other enterprise systems should immediately prioritize validation and containment actions.

Immediate actions (what to do in the next 24 to 72 hours)

  • Treat every extortion email that references Oracle EBS as actionable intelligence. Preserve the original message headers and body for forensic review and law enforcement. Do not communicate with threat actors without counsel and an incident response plan.
  • Confirm whether your organization runs internet-facing EBS portal endpoints. If so, temporarily restrict public access while you validate exposures. Where a reverse proxy or WAF is available, apply emergency rules to block suspicious traffic.
  • Force a credential reset and require multifactor authentication for any accounts that use local EBS logins. If SSO is in place, confirm SSO connectors and identity provider logs for anomalous activity. Many reports indicate attackers leveraged compromised email accounts and password reset flows.
  • Apply vendor-recommended patches and mitigations immediately. Oracle has publicly stated that previously identified vulnerabilities addressed in recent patch updates are relevant and has advised customers to upgrade. Prioritize any out-of-band advisories from Oracle.
  • Hunt for indicators of compromise across email systems and EBS application logs. Look for unusual account logins, atypical password reset events, spikes in data exports, and unexpected outbound connections from EBS hosts. If you have endpoint detection and response, review for lateral movement indicators.

Containment and forensic steps

  • Isolate affected EBS application servers from the network and capture volatile telemetry before restarting or applying fixes. Preserve disk images for later analysis by forensic teams. - Collect and centralize email gateway logs and mail server audit trails to trace the origin and spread pattern of the extortion messages. - Maintain an evidence chain and coordinate with legal and privacy teams to meet breach notification obligations if evidence of exfiltration is found. These steps help preserve options and prevent rushed decisions that could worsen exposure. (General IR guidance informed by vendor advisories and industry practice.)

Communications and escalation

  • Notify executive leadership, your board or the appropriate governance body, and legal counsel right away. Prepare statements that acknowledge investigation without confirming specifics until you have verified facts. - Engage vendor support from Oracle and any third-party IR partners you have pre-contracted. Consider notifying national computer emergency response teams and law enforcement early so they can provide investigative support and potentially coordinate across victims. - Do not publish proofs of payment or negotiation details on public channels. Preserve confidentiality of incident handling channels.

Longer term and strategic reminders This campaign is a reminder that even mature enterprise suites become critical attack surfaces when exposed to the public internet and when identity hygiene is weak. Organizations must maintain an aggressive patch cadence, reduce direct internet exposure for enterprise management interfaces, enforce MFA universally including local application logins, and keep recovery capability intact with offline, tested backups. Regular tabletop exercises that include extortion scenarios help align technical teams and business decision makers so responses are faster and less error prone.

Closing note Extortion campaigns that claim large-scale data theft are intended to create chaos and pressure organizations into quick payouts. The right immediate posture is rapid containment, evidence preservation, coordinated investigation with vendors and law enforcement, and clear business-led decision processes. Assume there will be more opportunistic campaigns that reuse any public exploit details or stolen credentials. Lock down identity, patch aggressively, and treat vendor-supplied advisories as actionable. Stay cautious and move quickly.