Featured Story
Europe Sees Increase in Ransomware, Extortion Attacks
Summary
As ransomware groups continue to operate faster than ever, European organizations are facing an increasingly large portion of attacks, accounting for nearly 22% of global ransomware and extortion victims.
According to CrowdStrike’s “2025 European Threat Landscape Report,” dedicated leak site (DLS) entries naming Europe-based organizations jumped nearly 13% year over year, with adversary groups like Scattered Spider reducing their time to deployment to just 24 hours.
The UK, Germany, France, Italy, and Spain were among the most targeted nations in the region. The most targeted sectors were manufacturing, professional services, technology, industrial and engineering, and retail.
Akira, LockBit, RansomHub, INC, Lynx, and Sinobi have been some of the most successful ransomware groups since January 2024, particularly for this region and big-game hunting (BGH) attacks.
Analysis from our SOC teamWith ransomware groups now deploying attacks within 24 hours and Europe accounting for 22% of global victims, traditional detection windows are no longer sufficient. Manufacturing and professional services sectors face the highest risk, with attackers increasingly favoring data theft over encryption.
Other News
ClickFix malware attacks evolve with multi-OS support, video tutorials
Summary
ClickFix attacks have evolved to feature videos that guide victims through the self-infection process, a timer to pressure targets into taking risky actions, and automatic detection of the operating system to provide the correct commands.
Through a JavaScript, the threat actor can hide the commands and copy them automatically into the user’s clipboard, thus reducing the chances of human error.
On the same window, the challenge included a one-minute countdown timer that presses the victim into taking quick action and leaving little time to verify the authenticity or safety of the verification process.
These more advanced ClickFix webpages are promoted primarily through malvertizing on Google Search.
Regarding the payloads delivered in these attacks, researchers noticed that they depended on the operating system, but included the MSHTA executable in Windows, PowerShell scripts, and various other living-off-the-land binaries.
Analysis from our SOC teamThis attack technique bypasses traditional security controls by exploiting user trust and psychological pressure through countdown timers. The multi-OS support and professional video tutorials significantly increase success rates, making detection at the endpoint level critical since users are essentially executing the malware themselves.
Cisco Warns of New Firewall Attack Exploiting CVE-2025-20333 and CVE-2025-20362
Summary
Cisco on Wednesday disclosed that it became aware of a new attack variant that’s designed to target devices running Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software releases that are susceptible to CVE-2025-20333 and CVE-2025-20362.
This attack can cause unpatched devices to unexpectedly reload, leading to denial-of-service (DoS) conditions. Both vulnerabilities were disclosed in late September 2025, but not before they were exploited as zero-day vulnerabilities in attacks delivering malware such as RayInitiator and LINE VIPER.
While successful exploitation of CVE-2025-20333 allows an attacker to execute arbitrary code as root using crafted HTTP requests, CVE-2025-20362 makes it possible to access a restricted URL without authentication.
Analysis from our SOC teamIf your organization uses Cisco ASA or FTD firewalls, immediate patching is critical. These vulnerabilities were already exploited as zero-days before disclosure, and the new attack variant causing DoS conditions indicates continued active exploitation. The combination of arbitrary code execution as root and authentication bypass makes these devices high-value targets for initial access.
Online investment: beware of fake investment opportunities
Summary
Fake trading platforms are currently proliferating on the internet. Cybercriminals contact victims through email, social media, dating apps, or text messages, encouraging them to start by investing a modest sum (e.g. €250), making them believe they will make high returns and pushing them to invest more and more.
Some allow you to withdraw a small amount at the beginning to make you believe the scam. The goal is to get you to invest more and more on these fake, non-existent platforms.
Then suddenly, one day, you want to withdraw your money, and nothing is possible. They disappear with your money.
Analysis from our SOC teamThe tips described in the article are what we would like to emphasize as well.
Never click on any links in unsolicited investment offers and always verify platforms through official financial regulatory websites like FSMA before investing.
Suspicious messages can be forwarded to any of the three email addresses from Safeonweb.
verdacht@safeonweb.be
suspect@safeonweb.be
suspicious@safeonweb.be
Our SOC is also available to assist in case there are any doubts or suspicions about text or mail messages.