The Clop ransomware gang discovered that Oracle E-Business Suite has a critical vulnerability (CVE-2025-61882) that allows unauthenticated remote code execution. So naturally, they’ve been exploiting it since at least August 2025, targeting dozens of major organizations worldwide. Canon, Broadcom, Dartmouth College, and numerous others got hit. But here’s the real story: Clop didn’t deploy encryption immediately. They focused on data theft first.
This is the new playbook. Stage one: gain access through a critical vulnerability before vendors even know it exists. Stage two: exfiltrate massive amounts of data quietly. Stage three: send extortion emails with proof of compromise. Stage four: leak data on their dark web site when companies don’t pay. That’s not ransomware in the traditional sense—that’s data extortion with a ransomware option.
The vulnerability itself? CVSS 9.8 (critical), affecting Oracle EBS versions 12.2.3 through 12.2.14. Unauthenticated attackers could execute arbitrary code remotely without any user interaction. Graceful Spider (tracked as Clop affiliates) started exploiting this in early August, well before Oracle issued a patch in October. That’s a two-month window where attackers had free rein.
What makes this particularly galling is the scale. Google Threat Intelligence Group and Mandiant analysis indicates that Clop exfiltrated a “significant amount” of data from multiple victims. The group’s leak site currently lists dozens of organizations’ domains, including household names. Extortion emails started going to executives in late September 2025, and the threat actors substantiated their claims with legitimate file listings dating back to mid-August.
This connects to a broader trend I’ve been warning about in my research on advanced persistent threats and cyber terrorism. Nation-state sponsored actors and professional cybercrime gangs are converging on similar tactics: find zero-days, quietly exfiltrate data, then monetize through extortion rather than encryption. It’s more profitable and attracts less law enforcement attention than traditional ransomware deployments.
The real lesson here? Zero-day vulnerabilities in critical infrastructure have a shelf life measured in weeks. The moment a vendor discloses a critical flaw, threat actors have already been chewing through your data for months. Assume you’re already compromised and audit your environments for indicators of compromise immediately.
