Here is the email Clop attackers sent to Oracle customers

Emails sent to Oracle customers by members of the Clop ransomware group assert that the cybercriminals are solely interested in a financial payout, framing the extortion as a business transaction rather than a politically motivated attack.  

The extortion emails were sent to executives of alleged victim organizations earlier this week, with attackers claiming they would provide victims copies of any three files or data rows upon request to verify their organization’s data was stolen. 

“But, don’t worry,” the attackers wrote in an extortion email, which CyberScoop obtained a copy of Thursday. “You can always save your data for payment. We do not seek political power or care about any business.”

Broken English and poor spelling appears throughout the email. The sender begins the message by introducing themselves as “CL0P team” and encourages the recipient to search for information about Clop on the internet if they haven’t heard of the highly prolific threat group.  

The extortion email is designed to achieve several goals: intimidate recipients, apply a deadline to create urgency, show proof of compromise and provide contact info to negotiate an extortion payment.  

“We always fulfil all promises and obligations,” the email said. “We are not interested in destroying your business. We want to take the money and you not hear from us again.”

Clop hasn’t made the claims public through its leak site. Researchers have yet to verify if a breach occurred or if the threat group is behind the attacks, yet the contact info in the emails has been previously used by the group.

Oracle on Thursday confirmed it’s aware some Oracle E-Business Suite customers have received extortion emails.

“Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 critical patch update,” Rob Duhart, chief security officer at Oracle Security, said in a blog post.

Oracle did not say which vulnerabilities are under active exploitation, nor did it confirm if its customers’ data was stolen. The July security update included 309 patches, including nine that addressed defects in Oracle E-Business Suite. 

The vendor, at the time, said three of the Oracle E-Business Suite vulnerabilities, all of which it designated as medium-severity, can be remotely exploited without authentication. Three additional Oracle E-Business Suite vulnerabilities addressed in July were designated high severity. 

The company has not responded to multiple requests for comment. 

The emails were sent from hundreds of compromised third-party accounts beginning on or before Monday, researchers said.

“The compromised accounts belong to various, unrelated organizations,” Austin Larsen, principal analyst at Google Threat Intelligence Group, told CyberScoop. “This is a common tactic where threat actors acquire credentials for legitimate accounts, often from infostealer malware logs sold on underground forums, to add a layer of legitimacy to their campaigns and help bypass spam filters.”

In the email obtained by CyberScoop, the sender claims to have carefully examined the data they allegedly stole, warning “that estimated financial losses, harm to reputation and regulatory fines are likely to materially exceed the amount claimed.” 

This tactic has appeared in previous extortion attacks wherein hackers mention accompanying effects of a compromise, such as legal penalties, as a reason to pay the ransom.

The extortion email ends with a threatening call to action, claiming the clock is ticking and data will be published in a few days. 

“Please convey this information to your executive and managers as soon as possible,” the attackers said in the email. “We advice not reach point of no return.”

The full text of the email is below:

Dearest executive,

We are CL0P team. If you haven’t heard about us, you can google about us on internet.

We have recently breached your Oracle E-Business Suite application and copied a lot of documents. All the private files and other information are now held on our systems.

But, don’t worry. You can always save your data for payment. We do not seek political power or care about any business.

So, your only option to protect your business reputation is to discuss conditions and pay claimed sum. In case you refuse, you will lose all abovementioned data: some of it will be sold to the black actors, the rest will be published on our blog and shared on torrent trackers.

We always fulfil all promises and obligations.

We have carefully examined the data we got. And, regrettably for your company, this analysis shows that estimated financial losses, harm to reputation , and regulatory fines are likely to materially exceed the amount claimed.

Lower you see our contact email addresses:

[REDACTED]

[REDACTED]

As evidence, we can show any 3 files you ask or data row.

We are also ready to continue discussing the next steps after you confirm that you are a legitimate representative of the company.

We are not interested in destroying your business. We want to take the money and you not hear from us again.

Time is ticking on clock and in few days if no payment we publish and close chat.

Please convey this information to your executive and managers as soon as possible.

After a successful transaction and receipt of payment we promise

1) technical advice

2) We will never publish you data

3) Everything we download will be delete w/proof

4) Nothing will ever disclose

Decide soon and recall that no response result in blog posting. Name is first and soon data after. We advice not reach point of no return.

KR CL0P

Update: 10/02/25, 5:30 p.m: This story has been updated with information about Oracle’s alert.