The Cl0p ransomware group (also stylized as CL0P) has indeed escalated its extortion campaign by publicly naming 29 additional alleged victims as of mid-November 2025, building on a wave of attacks that began exploiting zero-day vulnerabilities in Oracle’s E-Business Suite (EBS) software.
This campaign, which started gaining attention in early October 2025, focuses on data theft and extortion rather than traditional ransomware deployment, targeting organizations reliant on Oracle EBS for enterprise resource planning (ERP). Cl0p actors have leaked terabytes of stolen data from at least 18 of these victims on their dark web site to pressure payments.
The Vulnerabilities Exploited
Cl0p is leveraging two critical zero-day flaws in Oracle EBS:
• CVE-2025-61882: A remote code execution vulnerability in the EBS login functionality, allowing unauthenticated attackers to execute arbitrary code.
• CVE-2025-61884: An authentication bypass issue that enables unauthorized access to sensitive systems.
These flaws were actively exploited before Oracle issued patches in October 2025, with security firms like CrowdStrike and Google Threat Intelligence confirming mass exploitation as early as October 6. The campaign appears financially motivated, with Cl0p sending extortion emails to executives as far back as late September 2025.
Timeline of the Campaign
• September 2025: Initial extortion emails sent to targets.
• Early October 2025: Zero-days publicly tracked and patched by Oracle; exploitation confirmed by cybersecurity researchers.
• October 28, 2025: Early victim lists emerge, including high-profile names like Schneider Electric and Cox Enterprises.
• November 10–18, 2025: Cl0p announces 29 new victims, with data leaks from 18 organizations. This “addition” refers to an expansion of their victim shaming list.
The group has claimed over 50 victims in total across phases, but the latest batch of 29 has drawn widespread media attention due to the inclusion of major institutions.
Notable Victims from the Latest List
While Cl0p has not publicly detailed all 29 in a single accessible manifest (their announcements are typically on leak sites), confirmed or alleged targets from recent reports include:
• Harvard University (U.S. academic institution)
• Wits University (South Africa’s University of the Witwatersrand)
• Envoy Air (subsidiary of American Airlines)
• The Washington Post (confirmed data theft affecting nearly 10,000 individuals’ personal info)
• Schneider Electric (global energy management firm)
• Emerson (industrial automation company)
• Logitech (peripheral hardware manufacturer)
• Cox Enterprises (media and automotive conglomerate)
• UK National Health Service (NHS) (confirmed as targeted, raising healthcare security concerns)
Other sectors hit include manufacturing, aviation, media, and government-related entities, highlighting the supply-chain risks of unpatched Oracle EBS deployments.
Impacts and Broader Implications
• Data Exposure: Leaks include sensitive employee records, financial data, and intellectual property—e.g., The Washington Post reported breaches involving journalist and reader info.
• Extortion Tactics: Cl0p demands ransoms in cryptocurrency, threatening further leaks if unpaid. Unlike past campaigns, this one emphasizes speed and scale over encryption.
• Global Reach: Victims span the U.S., UK, South Africa, and beyond, underscoring EBS’s prevalence in legacy enterprise systems.
This attack echoes Cl0p’s 2023 MOVEit campaign, which netted millions, but targets a narrower, high-value Oracle ecosystem. It serves as a reminder of persistent risks in on-premise ERP software.
Recommendations for Organizations
If you’re using Oracle EBS:
1. Patch Immediately: Apply Oracle’s October 2025 security updates for CVE-2025-61882/84.
2. Monitor and Scan: Use tools to detect anomalous login attempts or data exfiltration; review logs for indicators of compromise (IoCs) shared by firms like Mandiant.
3. Incident Response: If targeted, engage cybersecurity experts and avoid paying ransoms, as it funds further attacks.
4. Long-Term: Migrate to cloud-based alternatives or enhance zero-trust architectures.
For the latest updates, monitor sources like Oracle’s security advisories or cybersecurity threat feeds. If you have specific details about a potential impact (e.g., your organization), I can help refine advice.