A new wave of Cl0p ransomware attacks has struck organizations worldwide by exploiting vulnerabilities in Oracle’s E-Business Suite (EBS) — a mission-critical enterprise management platform used by corporations and universities across the globe. The ongoing campaign, attributed to FIN11, highlights the group’s shift toward exploiting high-value business systems for maximum leverage in data extortion schemes. Victims range from Envoy Air, a subsidiary of American Airlines, to prestigious academic institutions like Harvard University and the University of the Witwatersrand in South Africa.
The threat actors reportedly stole and leaked over 26GB of corporate data, claiming it originated from American Airlines systems, though Envoy Air maintains that no customer or sensitive data was exposed. Other victims have also had files posted to the Cl0p leak site, indicating that they refused to pay ransom demands. The group’s attack lifecycle follows a familiar yet devastating pattern — exploit, exfiltrate, extort, and expose — and emphasizes how quickly operational disruptions can turn into reputational crises when data is publicly released.
At the heart of this campaign are vulnerabilities within Oracle EBS, including a zero-day flaw (CVE-2025-61882) and potentially CVE-2025-61884, which Oracle has patched but not fully clarified as exploited. The zero-day allowed attackers to infiltrate unpatched systems, exfiltrate sensitive data, and apply intense ransom pressure through public shaming on dark web leak platforms. Oracle’s subsequent updates confirm that the flaw was actively exploited in the wild, underscoring the urgent need for enterprises to prioritize EBS patch management and vulnerability scanning.
The campaign’s attribution to FIN11 and the Cl0p ransomware group highlights the blurred lines within modern cybercrime ecosystems, where overlapping threat clusters share infrastructure and tooling. Mandiant’s intelligence suggests multiple subgroups may operate under the FIN11 umbrella, complicating attribution and response efforts.
This incident serves as a stark reminder that core enterprise platforms are now prime targets for ransomware operators. As the Cl0p group continues to evolve from traditional encryption-based attacks to pure data-theft and extortion, organizations must assume that compromise equates to exposure — and that operational security now extends to the ERP layer.
#Cl0p #FIN11 #Oracle #EBusinessSuite #CVE202561882 #CVE202561884 #Ransomware #DataBreach #EnvoyAir #AmericanAirlines #HarvardUniversity #UniversityoftheWitwatersrand #OracleVulnerabilities #CyberCrime #Extortionware #DataExfiltration #LeakSite #ZeroDayExploit #Mandiant #CyberAttack #InformationSecurity #PatchManagement #ThreatIntelligence #CyberExtortion #EnterpriseSecurity #OracleEBS #RansomOps #SecurityBreach #DarkWebLeaks #CyberRisk #Infosec
