Full Report
Q4 of 2025 was marked by the latest large-scale data theft campaign by the CL0P ransomware gang, this time exploiting a zero-day vulnerability in Oracle E-Business Suite (EBS). The campaign came from a playbook CL0P pioneered nearly five years ago. The strategy involves: purchase a zero-day exploit of a widely used enterprise file transfer or data storage appliance, compromise as many instances as possible before detection, exfiltrate as much data as possible from as many downstream customers as possible, and finally monetize at scale the attack through extortion of each unique downstream party. This strategy does not involve the encryption of the target assets. Often the entire attack chain occurs outside of the victim’s network. This was the 5th campaign where CL0P followed this playbook, and the financial outcome for CL0P tells an interesting story about the current state of cyber extortion. CL0P developed this playbook during the Accellion breach in Q1-2021. At the time, data exfiltration-only extortion was still a relatively novel tactic. Most cyber extortion attacks in 2020-2021 involved the encryption of critical systems as the primary driver of extortion pressure. Increasingly, actors during this period of time were combining encryption and data exfiltration extortion to compound the pressure on victims to pay. At this point in cyber extortion, data exfiltration was a very effective pressure tactic. Victims lacked confidence in their ability to assess what had been taken, regulators were still adapting to breach notification rules and enforcement, and many organizations viewed payment as a pragmatic way to make the problem “go away.”
Analysis Summary
# Threat Actor: CL0P Ransomware Gang
## Attribution & Identity
* **Threat Actor Identification:** CL0P ransomware gang.
* **Known Aliases and Associated Groups:** Not specified in the context, only referred to as the CL0P ransomware gang.
* **Historical Associations:** Developed/pioneered the mass data exfiltration playbook during the Accellion breach in Q1-2021.
## Activity Summary
CL0P engages in large-scale data theft campaigns using a consistent playbook focused solely on data exfiltration and extortion, deliberately avoiding asset encryption.
* **Q4 2025 Campaign:** Exploited a zero-day vulnerability in **Oracle E-Business Suite (EBS)**. This was the 5th campaign following their established playbook.
* **Historical Campaigns Following Playbook:**
* **Q1-2021 (Accellion):** First deployment of the playbook, likely yielding tens of millions of dollars with an estimated 25% payment rate against 100+ impacted organizations.
* **March 2023 (GoAnywhere MFT):** Impacted 100-150 organizations, with an estimated 20% payment rate.
* **Later 2023 (MOVEit MFT):** Massive campaign impacting 2,000-3,000 organizations directly or indirectly, but yielding a low payment rate (~2.5%).
* **2024 (Cleo MFT):** Several hundred downstream organizations impacted, with zero recorded payments as victim maturity increased.
## Tactics, Techniques & Procedures
CL0P primarily utilizes a "mass data exfiltration-only extortion" playbook:
- **Acquisition:** Purchase a zero-day exploit targeting widely used enterprise file transfer or data storage appliances.
- **Compromise & Exfiltration:** Compromise as many instances as possible before detection, and exfiltrate data from as many downstream customers as possible.
- **Monetization:** Monetize the attack at scale through extortion of *each unique downstream party*.
- **Execution Scope:** The entire attack chain often occurs **outside of the victim’s network**.
- **Distinguishing Feature:** This strategy **does not involve the encryption** of the target assets.
- **Vulnerabilities Exploited (Examples):** Zero-day in Oracle E-Business Suite (EBS), GoAnywhere MFT, MOVEit managed file transfer software, and Cleo Managed File Transfer product.
## Targeting
* **Sectors (General Q4 2025 Trends):** Attackers show a preference for downtime-sensitive sectors, with Professional Services (18.92%), Healthcare (15.32%), Technology Hardware & Equipment (9.91%), Software Services (7.21%), and Consumer Services (9.01%) being highly represented in general ransomware activity during the quarter.
* **Geography:** Not specified, but the targeting of widely used enterprise software implies global reach.
* **Victims (Size/Type):**
* **Focus:** CL0P’s playbook targets organizations using specific vulnerable software (e.g., Oracle EBS, MFT solutions).
* **General Q4 2025 Trend Context:** Ransomware activity is heavily skewed towards **small and mid-sized organizations**, with companies of 11-100 employees (38%) and 101-1,000 employees (31%) most frequently impacted by ransomware in general.
## Tools & Infrastructure
- **Malware Families Used:** Not specified; the focus is on exploiting existing vulnerabilities for data access, not deploying specific ransomware payloads for encryption.
- **Infrastructure:** Purchase of zero-day exploits.
## Implications
The data exfiltration-only extortion model, while highly effective in 2021 (Accellion), showed diminishing returns across subsequent years (MOVEit, Cleo) due to victim adaptation, improved forensic capability, and data sensitivity variance. However, the Q4 2025 Oracle EBS campaign presented a "return to ideal extortion conditions" (low victim forensic ability, high sensitivity data), yet **still generated one of the lowest levels of victim engagement and monetization** observed across prior CL0P incidents, suggesting the high-volume, low-touch data theft model, regardless of sensitivity, is losing its financial edge.
## Mitigations
* **Patch Management:** Focus on timely patching/mitigation for widely used enterprise software, especially file transfer/storage appliances (MFT solutions).
* **Monitoring:** Implement robust internal monitoring, as the strategy relies on exploiting externally facing services.
* **Data Inventory/Discovery:** Develop forensic and data reconstruction capabilities to reduce reliance on threat actors for visibility into exfiltrated data.
* **Process Adaptation:** Organizations have matured to view payment as less pragmatic, relying on notification rules and internal assessments to navigate breaches.