Oracle has finally broken its silence on those Clop-linked extortion emails, but only to tell customers what they already should have known: patch your damn systems.

The database giant posted an impressively short blog post overnight, confirming that some E-Business Suite (EBS) users have been targeted by cybercriminals claiming to have siphoned off sensitive data, adding that the crooks appear to be exploiting holes Oracle already plugged in July.

Rob Duhart, CSO of Oracle Security, said the firm “has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update,” before repeating its standard advice to apply the latest fixes.

That will be of little comfort to execs currently receiving emails threatening to leak payroll files and financial records unless they cough up a ransom.

As The Register reported yesterday, attackers with suspected ties to the Clop ransomware gang have been firing off extortion emails to senior staff, claiming they’ve broken into Oracle’s systems and stolen confidential data.

Mandiant and Google’s Threat Intelligence Group, both of which are monitoring the campaign, stated on Thursday that there’s no indication yet that Oracle itself has been compromised. However, anti-ransomware outfit Halcyon, which has also been keeping an eye on the goings-on at Oracle, says it’s “highly likely” that Clop ransomware operators are actively extorting victims through the local login pages on internet-facing Oracle EBS portals.

“After compromising user email, attackers abuse the default password-reset function to gain valid credentials,” Halcyon said. “Local accounts bypass enterprise SSO controls and often lack MFA, leaving thousands of organizations exposed.”

Attackers are waving around screenshots and file trees as proof of their handiwork, according to Halcyon, while slapping price tags as high as $50 million on their demands. Though Oracle insists the activity traces back to a flaw it patched in July, Halcyon says the campaign “stems from configuration and default business logic abuse rather than a specific vulnerability.”

While Halcyon warns that “thousands” of organizations could be affected, Oracle’s carefully worded blog stops short of saying how many customers might have been targeted, whether any data has been swiped, or whether Clop is behind the extortion attempts. Big Red has still not responded to The Register’s questions.

Instead, the company leaned on a boilerplate about its “strong recommendation” to keep up with patching, something long-time Oracle users will recognize as the default response to almost every breach scare. ®