In early October 2025, news broke that hackers were targeting executives across various organizations in the United States. These attackers claimed to have stolen sensitive files through Oracle E-Business Suite systems and demanded ransom payments in exchange for deleting the stolen data.
Subsequent investigations revealed a remote code execution (RCE) zero-day vulnerability affecting Oracle E-Business Suite versions 12.2.3 through 12.2.14. Alarmingly, the attacks had been ongoing for months before Oracle released an official patch. Initial reports indicated that “dozens” of companies were affected, but that number later grew to more than a hundred.
Two hacking groups have been linked to this wide-reaching campaign: the financially motivated FIN11 collective and the notorious Cl0p ransomware gang. Despite the extensive impact, there is currently no evidence of abuse beyond the ransom demands and data leaks.
The Washington Post confirmed that it, too, fell victim to the attack. Cl0p added The Post to its data leak site, accusing the company of “ignoring their security”—a phrase interpreted by TechCrunch to mean The Post declined to pay the ransom.
While the exact ransom amount demanded from The Washington Post remains unknown, earlier victims have reportedly been asked for as much as $50 million.
This Oracle-related hacking spree has hit several high-profile organizations, including Harvard University, Schneider Electric, Pan American Steel, and Cox Enterprises. However, the full list of victims has not been publicly disclosed and likely never will be. It’s possible that some companies have paid the ransom and, as a result, chose not to appear on Cl0p’s leak site.
Law enforcement agencies typically advise against paying ransom demands, warning that such payments encourage threat actors to escalate their attacks and provide them with the resources to continue operating.
Stay informed on this evolving story by clicking the Follow button!
https://www.techradar.com/pro/security/the-washington-post-confirms-it-suffered-an-oracle-linked-data-breach