Headline
Cl0p Ransomware Lists NHS UK as Victim, Days After Washington Post Breach
Cl0p ransomware lists NHS UK as a victim days after The Washington Post confirms a major Oracle E-Business breach linked to CVE-2025-61882.
Cl0p is claiming responsibility for a new data breach affecting the National Health Service (NHS UK). On November 11, 2026, the ransomware group posted on its dark web leak site, accusing the healthcare provider of neglecting its security, stating, “The company doesn’t care about its customers; it ignored their security.”
Although the group has not revealed the volume of stolen data, the announcement aligns with ongoing attacks and reports pointing out CL0p of exploiting vulnerabilities in Oracle’s E-Business Suite (EBS).
NHS officials have not confirmed a breach, but their cybersecurity division did issue alerts in October about critical flaws in Oracle EBS. That alert warned healthcare and public sector systems relying on Oracle’s enterprise software to apply immediate patches and restrict internet exposure. The timing of the Cl0p post now suggests the group may have exploited the same vulnerabilities NHS had already flagged a month earlier.
NHS UK data breach claims from the Cl0p ransomware group (Image credit: Hackread.com)
****The Washington Post****
While the NHS claim is still being investigated, Cl0p’s campaign has already proven its reach. Just days earlier, on November 7, the group announced it had breached The Washington Post by exploiting the same Oracle EBS flaws.
As seen by Hackread.com, the hackers published what they claim is 183GB of data under a folder labeled ebs.washpost.com. The Washington Post later confirmed it was impacted, saying it was among the victims of a “breach of the Oracle E-Business Suite platform.”
The Washington Post’s data details (Image credit: Hackread.com)
****What Experts Think****
Security experts say the Washington Post attack fits Cl0p’s pattern of large-scale, data-theft operations targeting enterprise software used across multiple sectors. Lidia Lopez, Senior Threat Intelligence Analyst at Outpost24, noted that the incident highlights Cl0p’s focus on exploiting high-value business systems rather than random targets.
She explained that the group has moved away from traditional ransomware encryption toward coordinated data-exfiltration campaigns that leverage zero-day flaws in critical software such as MOVEit, GoAnywhere, and Oracle EBS.
Unlike affiliate-based ransomware operations, Cl0p’s structure is centralised and technical. Lopez said this setup allows the group to conduct synchronised attacks against hundreds of organisations before vendors release patches.
Their tactics often involve scanning for vulnerable systems, gaining remote access, maintaining persistence, and quietly siphoning data for months before making demands or publishing leaks.
The Washington Post data breach claims from the Cl0p ransomware group (Image credit: Hackread.com)
Faik Emre Derin, Technical Content Manager at SOCRadar, added that the Oracle EBS campaign revolves around CVE-2025-61882, a severe remote code execution flaw with a CVSS score of 9.8.
His team’s analysis shows the exploitation began around August 2025, months before Oracle issued an emergency patch on October 4. The affected versions range from 12.2.3 to 12.2.14, with attackers focusing on the BI Publisher Integration module that allows unauthenticated access to vulnerable systems.
Derin said the exploit’s spread accelerated when a separate group called Scattered Lapsus$ Hunters leaked proof-of-concept code on October 3. This leak allowed additional threat actors, including Cl0p and FIN11, to expand attacks on a global scale.
He recommended that organisations running Oracle EBS install the October 2025 patch immediately, conduct forensic reviews dating back to August, and monitor for connections to suspicious IPs such as 200.107.207.26 and 185.181.60.11.
The ongoing campaign has also affected other high-profile organisations, including Harvard University and American Airlines’ subsidiary Envoy. Investigations by Mandiant and Google’s Threat Intelligence Group suggest the activity started in late September 2025, targeting companies that rely heavily on Oracle EBS for finance, HR, and supply-chain management.
Oracle has since released patches addressing the vulnerabilities and urged customers to update without delay. Despite those efforts, many systems remain exposed, providing Cl0p and affiliated groups with continued opportunities for exploitation.
The inclusion of NHS UK and The Washington Post in the victim list places the Cl0p campaign among the most significant enterprise-software breaches in recent years. With stolen data already circulating online and more victims expected to surface, experts warn that the threat from unpatched Oracle systems is far from over.
Related news
Envoy Air (American Airlines) confirms a breach by CL0P after they exploited the critical CVE-2025-61882 zero-day flaw in Oracle E-Business Suite.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws to its Known Exploited Vulnerabilities (KEV) Catalog, officially confirming a recently disclosed vulnerability impacting Oracle E-Business Suite (EBS) has been weaponized in real-world attacks. The security defect in question is CVE-2025-61884 (CVSS score: 7.5), which has been described as a
Every week, the cyber world reminds us that silence doesn’t mean safety. Attacks often begin quietly — one unpatched flaw, one overlooked credential, one backup left unencrypted. By the time alarms sound, the damage is done. This week’s edition looks at how attackers are changing the game — linking different flaws, working together across borders, and even turning trusted tools into weapons.
Oracle on Saturday issued a security alert warning of a fresh security flaw impacting its E-Business Suite that it said could allow unauthorized access to sensitive data. The vulnerability, tracked as CVE-2025-61884, carries a CVSS score of 7.5, indicating high severity. It affects versions from 12.2.3 through 12.2.14. "Easily exploitable vulnerability allows an unauthenticated attacker with
Dozens of organizations may have been impacted following the zero-day exploitation of a security flaw in Oracle's E-Business Suite (EBS) software since August 9, 2025, Google Threat Intelligence Group (GTIG) and Mandiant said in a new report released Thursday. "We're still assessing the scope of this incident, but we believe it affected dozens of organizations," John Hultquist, chief analyst of
Cyber threats are evolving faster than ever. Attackers now combine social engineering, AI-driven manipulation, and cloud exploitation to breach targets once considered secure. From communication platforms to connected devices, every system that enhances convenience also expands the attack surface. This edition of ThreatsDay Bulletin explores these converging risks and the safeguards that help
A cybercriminal group that used voice phishing attacks to siphon more than a billion records from Salesforce customers earlier this year has launched a website that threatens to publish data stolen from dozens of Fortune 500 firms if they refuse to pay a ransom. The group also claimed responsibility for a recent breach involving Discord user data, and for stealing terabytes of sensitive files from thousands of customers of the enterprise software maker Red Hat.
CrowdStrike on Monday said it's attributing the exploitation of a recently disclosed security flaw in Oracle E-Business Suite with moderate confidence to a threat actor it tracks as Graceful Spider (aka Cl0p), and that the first known exploitation occurred on August 9, 2025. The exploitation involves the exploitation of CVE-2025-61882 (CVSS score: 9.8), a critical vulnerability that facilitates
The cyber world never hits pause, and staying alert matters more than ever. Every week brings new tricks, smarter attacks, and fresh lessons from the field. This recap cuts through the noise to share what really matters—key trends, warning signs, and stories shaping today’s security landscape. Whether you’re defending systems or just keeping up, these highlights help you spot what’s coming
Oracle has released an emergency update to address a critical security flaw in its E-Business Suite that it said has been exploited in the recent wave of Cl0p data theft attacks. The vulnerability, tracked as CVE-2025-61882 (CVSS score: 9.8), concerns an unspecified bug that could allow an unauthenticated attacker with network access via HTTP to compromise and take control of the Oracle