Clop at it again, another potential ransomware attack

I saw this earlier today, October 2, 2025 and never got around to blogging this.

It was a busy day, and a bit of a setback in my recovery but I’m doing fine. It was mainly stress, not illness on the day of writing.

Seems as though they’ve targeted another agency apparently as of late.

This time, its Oracle’s E-business suite data.

While the investigation is still ongoing with Google and their team at Mandiant, it seems like it started within the past several days.

The article does go through Clop’s history through the years including some of the biggest breaches we’ve covered since TSB’s inception. A lot of this has been blogged, and you can search Clop or its variants for other articles if you wish to do so.

Since there is no proof yet that it is exactly Clop, we’ll have to see if news comes out about this with more definite detail on what’s going on. Just because email says it is, means nothing these days just because some of this is PR. Continue reading below.

Image of Klop’s potential email”>

Picture smart for the image says:

The image is a ransom note from a group called the CLOP team, claiming to have breached an Oracle E-Business Suite and stolen private files. They demand payment to prevent public release or sale of the data to black markets. They offer to show proof by sharing three files and promise not to destroy the business if paid. They warn that lack of response will lead to data publication. They provide two contact emails and list four post-payment commitments. The tone is threatening yet professional.

This is pretty typical of Ransomware groups, and we know they have lied in the process by still selling or releasing data, so this should always be taken with a grain of sault.

The text above the image says:

“We are CL0P team. If you haven’t heard about us, you can google about us on internet,” reads the extortion email shared with BleepingComputer.

“We have recently breached your Oracle E-Business Suite application and copied a lot of documents. All the private files and other information are now held on our systems.”

“But, don’t worry. You can always save your data for payment. We do not seek political power or care about any business. So, your only option to protect your business reputation is to discuss conditions and pay claimed sum.”

“In case you refuse, you will lose all abovementioned data: some of it will be sold to the black actors, the rest will be published on our blog and shared on torrent trackers.”

The article continues:

After publishing this story, Clop claimed to BleepingComputer that they are involved in the extortion email, indicating a bug in Oracle’s product was exploited in the attacks. However, the threat actors would not share more detailed information about the alleged attacks.

“We not prepared to discuss details at this time,” Clop told BleepingComputer.

Remember, this is written, and could be a ploy and may not necessarily be completely true. We don’t know what their motive is, and it could be a PR move by the group which these groups are good at.

They continue:

“Soon all will become obvious that Oracle bugged up their core product and once again, the task is on clop to save the day. We do not damage to systems and only expect payment for services we provide to protect hundreds of biggest companies in world.”

The question Clop then is what services do you provide to these companies if you don’t damage and sell the data like most other ransomware groups do? I call Bull fucking shit.

Some of the notable attacks that are highlighted with this article include but not limited to the folowwing four items:

• 2020: Exploiting a zero-day in the Accellion FTA platform, affecting nearly 100 organizations.
• 2021: Exploiting a zero-day in SolarWinds Serv-U FTP software.
• 2023: Exploiting a zero-day in the GoAnywhere MFT platform, breaching over 100 companies.
• 2023: Exploiting a zero-day in MOVEit Transfer was Clop’s most extensive campaign to date, where a zero-day exploit allowed data theft from 2,773 organizations worldwide.

They also note a 2024 attack which was more recent. I don’t know if we’ve covered this, but that paragraph says:

The most recent campaign associated with Clop was in October 2024, when the threat actors exploited two Cleo file transfer zero-days (CVE-2024-50623 and CVE-2024-55956) to steal data and extort companies.

I think this was one of their biggest plights, as that was huge for its time.

If you want to take a complete look at this article, please view it by reading Clop extortion emails claim theft of Oracle E-Business Suite data and make it a great day.