{"id":3070,"date":"2025-10-03T01:54:07","date_gmt":"2025-10-03T01:54:07","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/10\/03\/extortion-emails-sent-to-executives-by-self-proclaimed-clop-gang-member\/"},"modified":"2025-10-03T01:54:07","modified_gmt":"2025-10-03T01:54:07","slug":"extortion-emails-sent-to-executives-by-self-proclaimed-clop-gang-member","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/10\/03\/extortion-emails-sent-to-executives-by-self-proclaimed-clop-gang-member\/","title":{"rendered":"Extortion Emails Sent to Executives by Self-Proclaimed Clop Gang Member"},"content":{"rendered":"
\n

An individual or group of people claiming to be working with the Clop ransomware has been sending extortion emails to executives at several organizations since September 29, according to Google.<\/p>\n

The threat actor also claims to have stolen sensitive data from its target Oracle E-Business Suite.<\/p>\n

Researchers at Mandiant and Google Threat Intelligence Group (GTIG) are investigating a case but have not yet gathered enough evidence to substantiate the individual\u2019s claims.<\/p>\n

Charles Carmakal, CTO of Mandiant at Google Cloud, commented: \u201cWe are currently observing a high-volume email campaign being launched from hundreds of compromised accounts.\u201d<\/p>\n

His team\u2019s initial analysis confirms that at least one of these accounts has been previously associated with activity from FIN11, a long-running financially motivated threat group known for deploying ransomware and engaging in extortion.<\/p>\n

\u201cThe malicious emails contain contact information, and we\u2019ve verified that the two specific contact addresses provided are also publicly listed on the Clop data leak site (DLS). This move strongly suggests there\u2019s some association with Clop and they are leveraging the brand recognition for their current operation,\u201d Carmakal added.<\/p>\n

However, he noted that this doesn\u2019t necessarily means Clop is involved or even aware of the campaign.\u00a0<\/p>\n

\u201cAttribution in the financially motivated cybercrime space is often complex, and actors frequently mimic established groups like Clop to increase leverage and pressure on victims.\u00a0We recommend targeted organizations investigate their environments for evidence of threat actor activity,\u201d he concluded.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

An individual or group of people claiming to be working with the Clop ransomware has been sending extortion emails to executives at several organizations since September 29, according to Google. The threat actor also claims to have stolen sensitive data from its target Oracle E-Business Suite. Researchers at Mandiant and Google Threat Intelligence Group (GTIG)<\/p>\n","protected":false},"author":2,"featured_media":3071,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3070","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3070-54b18844-93e7-4ffa-97bb-37769ce603a9.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3070-54b18844-93e7-4ffa-97bb-37769ce603a9-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3070-54b18844-93e7-4ffa-97bb-37769ce603a9.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3070-54b18844-93e7-4ffa-97bb-37769ce603a9.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3070-54b18844-93e7-4ffa-97bb-37769ce603a9.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3070-54b18844-93e7-4ffa-97bb-37769ce603a9.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3070-54b18844-93e7-4ffa-97bb-37769ce603a9.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3070-54b18844-93e7-4ffa-97bb-37769ce603a9.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3070-54b18844-93e7-4ffa-97bb-37769ce603a9.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3070-54b18844-93e7-4ffa-97bb-37769ce603a9.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3070-54b18844-93e7-4ffa-97bb-37769ce603a9-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3070","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=3070"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3070\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/3071"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=3070"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=3070"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=3070"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}