Alphabet’s Google has raised the alarm over a new wave of extortion emails aimed at company executives. The messages claim hackers have stolen sensitive data from Oracle’s business software, but Google says there is no evidence yet to back up those claims.
According to Google, the campaign is referencing Oracle’s E-Business Suite, a widely used set of enterprise applications. The emails are being sent out at scale, reaching leaders across multiple industries. However, Google stressed that it cannot verify whether any data theft has actually taken place.
The emails are said to come from actors who claim to be linked to the cl0p ransomware gang, a well-known group associated with large-scale data theft and extortion in the past. Still, Google stopped short of directly attributing the operation, saying it lacks sufficient evidence to confirm the attackers’ identity or the legitimacy of their claims.
Oracle has not yet commented on the matter.
What stands out in this campaign are the ransom demands. Cynthia Kaiser, head of Halcyon’s Ransomware Research Center, said her team has seen demands ranging anywhere from millions to tens of millions of dollars. The largest ask so far is reported at $50 million. But she cautioned that attribution is still “murky,” given the way criminal groups often overlap and copy each other’s tactics. “There’s so much overlap amongst all these groups, and there are copycats across the ecosystem,” Kaiser explained.
Cl0p itself has not shed much light on its involvement. In an email to Reuters, the group declined to provide details, saying only that the hackers were “not prepared to discuss details at this time.”
Security experts advise targeted executives and companies not to reply to these emails. Instead, they should preserve all evidence, alert their internal cybersecurity teams, and work with law enforcement. Companies using Oracle E-Business Suite are also being urged to take proactive steps: review access logs, look for unusual activity, confirm all critical patches are applied, and ensure identity protections are enforced.
The campaign reflects a broader trend in cybercrime, where extortion groups increasingly use fear and uncertainty to pressure organisations into paying, even when there is no clear evidence that a breach occurred. For now, the key advice remains simple, don’t engage, lock down your systems, and let investigators do their job.
