Threat actors claiming to be part of the notorious Cl0p ransomware group are sending extortion emails to corporate executives at a range of organizations saying they have stolen sensitive data from the target’s Oracle E-Business Suite accounts and demanding a ransom payment, according to Google threat researchers.

The threatening emails started appearing as recently as this week, having been sent from hundreds of compromised accounts, researchers from the Google Threat Intelligence Group (GTIG) and Google’s Mandiant business wrote in an email sent to journalists.

That said, they noted that they are in the early stages of their investigation and that they can’t yet attribute the emails to any particular group, Mandiant CTO Charles Carmakal wrote.

The malicious emails include contact information, and the researchers verified that two specific contact addresses are also publicly listed on Cl0p’s data leak site.

“This move strongly suggests there’s some association with Clop and they are leveraging the brand recognition for their current operation,” Carmakal wrote.

No Attribution Yet

At the same time, at least one of the accounts has been associated in the past with activity from FIN11, another long-time financially motivated threat group with a history of running ransomware and extortion campaigns.

Carmakal warned that establishing attribution among such financially motivated groups is difficult, adding that “actors frequently mimic established groups like Clop to increase leverage and pressure on victims.”

“It is critical to note that while the tactics align with an extortion motive and the actor is explicitly claiming this connection, GTIG does not currently have sufficient evidence to definitively assess the veracity of these claims,” he wrote

Campaign Started Recently

Genevieve Stark, head of cybercrime, and information operations intelligence analysis for GTIG, wrote that the sending of the malicious emails “began on or before September 29” and that the Google and Mandiant researchers were in the “early stages of multiple investigations,” adding her voice to Carmakal’s warning that they didn’t yet have enough information substantiate the claims may by the email senders.

Oracle E-Business Suite is collection of tightly integrated business applications that touch on enterprise resource planning (ERP), customer relationship (CRM), and supply chain management to address the management in areas from financial and manufacturing to HR, procurement, and order management.

Links Between Cl0p, FIN11

While Cl0p and FIN11 are not the same group, there has long been links between the two. Both have been known to use phishing campaigns and to exploit software vulnerabilities to gain access to targets’ IT systems. Fin11 also has been know to use Cl0p’s ransomware in its attacks.

Cl0p is another longtime threat group that made a name for itself in 2023 by exploiting a flaw in Progressive Software’s MOVEit file transfer tool that gave the attackers unauthorized escalated privileges and access to customers’ environments.

According to cybersecurity firm EmsiSoft, which has been tracking the fallout of the MOVEit hack – which impacted both MOVEit Transfer, the on-premises version of the tool, and a cloud-hosted version, MOVEit Cloud – almost 2,800 companies and close to 96 million people were affected by the attacks, with four victims have more than 6 million individuals affected.

EmsiSoft estimated the total cost of the data breaches at more than $15.8 billion, noting that almost 79% of the attacks occurred in the United States.

Sophisticated, Adaptable Ransomware

According to Barracuda Networks, Cl0p emerged in 2019 and is part of TA505, a Russia-based cybercrime organization that also has used well-known ransomware families like Locky and Dridex.

“Cl0p ransomware has endured and adapted, and is now considered the ‘flagship’ of the TA505 operations,” Barracuda wrote earlier this year. “It’s the most well-known attack tool in their arsenal, and it demonstrates the group’s technical sophistication and adaptability in attack methods. Cl0p has inflicted significant damage across the world through its high-profile supply chain attacks.”

Security Boulevard has contacted Oracle for comment and will add what the company says when it responds.