Ransomware and Unpatched Vulnerabilities

How Do Ransomware Groups Exploit Unpatched Vulnerabilities?

Ransomware groups have shifted from primarily using phishing emails as their initial access vector to increasingly exploiting known, unpatched vulnerabilities in internet-facing systems. This shift reflects a strategic calculation: unpatched vulnerabilities provide reliable, scalable access to target networks without requiring user interaction or social engineering success. An unpatched VPN appliance, remote desktop gateway, or web application server gives an attacker direct access to the internal network, bypassing email security controls, endpoint protection, and user awareness training.

Characteristics of Targeted Vulnerabilities

The types of vulnerabilities ransomware groups favor share common characteristics. They affect internet-facing infrastructure (VPN appliances, firewalls, email gateways, remote access tools). They allow remote code execution or authentication bypass without requiring valid credentials. They have publicly available exploit code that can be weaponized without significant development effort. And they are widely deployed across enterprises, providing a large target population. CVEs in enterprise VPN appliances, remote access gateways, load balancers, Microsoft Exchange, and firewall platforms have been particularly popular in ransomware campaigns because these products meet all of these criteria.

The Attack Chain

The attack pattern is consistent. Ransomware operators or their initial access brokers scan the internet for systems running vulnerable versions of targeted products. They exploit the vulnerability to gain initial access. They deploy post-exploitation tools to establish persistence, escalate privileges, and move laterally through the network. They identify and exfiltrate sensitive data for double-extortion pressure. They deploy ransomware across the network, encrypting systems and demanding payment for decryption keys and for not publishing stolen data. The entire chain from initial exploitation to ransomware deployment can occur in hours to days.

What Is the Patching Gap That Ransomware Exploits?

The vulnerability exploited in a ransomware attack almost always has an available patch at the time of exploitation. Ransomware groups do not typically use zero-day exploits. They exploit known vulnerabilities where patches have been available for weeks, months, or even years but have not been applied by the target organization. The gap between patch availability and patch deployment is the window that ransomware groups target.

How Long Are Patches Available Before Exploitation?

Industry data consistently shows that the most commonly exploited CVEs in ransomware incidents had patches available for 60 or more days before exploitation. Some of the most exploited CVEs have had patches available for years. This pattern demonstrates that ransomware risk is primarily a patching velocity problem. Organizations that apply critical patches to internet-facing infrastructure within days of release close the exploitation window before most ransomware operators can target them. Organizations with multi-week or multi-month patching cycles leave the window open for the duration.

KEV as a Ransomware Signal

The CISA Known Exploited Vulnerabilities (KEV) catalog tracks many of the CVEs used in ransomware campaigns. KEV entries with confirmed ransomware usage provide a direct, authoritative signal that a specific vulnerability is being used as a ransomware entry point. Organizations that prioritize KEV remediation are directly reducing their ransomware attack surface.

Reducing Ransomware Risk Through Vulnerability Management

Several vulnerability management practices directly reduce ransomware risk. Prioritizing internet-facing assets for scanning and remediation addresses the infrastructure that ransomware groups target first. VPN appliances, remote desktop gateways, email servers, and web application servers should receive the most frequent scanning and the shortest remediation SLAs in the organization's vulnerability management program.

Exploitation-Based Prioritization

Prioritizing CVEs with confirmed exploitation, through CISA KEV matching and high EPSS scores, ensures that vulnerabilities known to be used in ransomware campaigns receive immediate attention. CVSS-only prioritization does not distinguish between CVEs used in active campaigns and CVEs with no exploitation activity, potentially leaving ransomware-relevant findings buried among thousands of other critical scores.

Emergency Patching Readiness

Emergency patching processes enable rapid response to newly disclosed vulnerabilities in internet-facing infrastructure. When a critical CVE in a widely deployed VPN appliance is disclosed with exploitation activity reported within days, the organization needs the ability to deploy the patch within hours, not wait for the next scheduled maintenance window. Building and testing emergency patching processes before they are needed ensures the organization can respond with speed when a ransomware-relevant CVE emerges.

Defense-in-Depth Controls

Compensating controls provide defense-in-depth while patches are being deployed. Network segmentation prevents lateral movement from a compromised edge device into the broader network. Multi-factor authentication on all remote access points reduces the value of stolen credentials. Endpoint detection and response identifies post-exploitation activity. Offline backups ensure recovery capability if ransomware is deployed despite preventive measures. These controls do not replace patching but provide layers of defense that slow or stop ransomware operators even if initial exploitation succeeds.

Measuring Ransomware-Specific VM Metrics

Tracking vulnerability management metrics specific to ransomware risk provides focused visibility. Internet-facing critical vulnerability count shows how many high-severity findings exist on the infrastructure ransomware groups target. KEV remediation speed measures how quickly the organization addresses CVEs with confirmed exploitation. MTTR for internet-facing critical findings measures the overall patching velocity for the highest-risk asset class. Emergency patching capability, measured through exercises or actual incidents, indicates whether the organization can respond fast enough when a ransomware-relevant zero-day or critical CVE is disclosed.

Presenting these metrics to leadership connects vulnerability management to the ransomware risk that boards and executives care most about. "We reduced our internet-facing critical vulnerability count from 23 to 4 this quarter and our KEV remediation time from 18 days to 6 days" directly addresses ransomware risk in terms that business leaders understand. This framing justifies vulnerability management investment more effectively than abstract metrics like total vulnerability count or CVSS distribution.

Ransomware Initial Access Trends

The shift toward vulnerability exploitation as a ransomware initial access vector has accelerated since 2020. Several high-profile ransomware campaigns have exploited vulnerabilities in enterprise VPN appliances, remote access gateways, Microsoft Exchange (ProxyLogon and ProxyShell), firewall platforms, and file transfer applications. Each of these campaigns targeted vulnerabilities with available patches that had not been applied by significant numbers of organizations. The attackers did not need sophisticated capabilities; they needed vulnerable targets, and the patch gap provided them.

Initial Access Brokers

Initial access brokers (IABs) have emerged as a specialized role in the ransomware ecosystem. IABs focus exclusively on gaining access to corporate networks through vulnerability exploitation, credential theft, and other techniques. They sell this access to ransomware operators who handle the data theft and encryption stages. This specialization means that the attackers exploiting vulnerabilities for initial access are not necessarily the same groups deploying ransomware. The separation creates a market dynamic where any accessible vulnerability in internet-facing infrastructure becomes a potential commodity for IABs to exploit and sell.

Threat Intelligence for Early Warning

Monitoring IAB activity through threat intelligence provides early warning when specific vulnerability classes are being targeted for initial access sales. When intelligence reports indicate that IABs are advertising access to networks compromised through a specific CVE, any organization with that CVE unpatched on internet-facing systems should treat remediation as an emergency regardless of other prioritization factors.

Building Ransomware-Resilient VM Programs

A ransomware-resilient vulnerability management program focuses on three principles: minimize the external attack surface, maximize patch velocity for internet-facing systems, and maintain compensating controls for the residual gap. Minimizing the external attack surface means reducing the number of internet-facing services to what is operationally necessary. Every internet-facing system is a potential ransomware entry point, and each one removed from internet exposure eliminates that risk entirely.

Accelerated Patching Tracks

Maximizing patch velocity means compressing the time between patch availability and deployment on internet-facing systems to the shortest feasible window. For most organizations, this means establishing a separate, accelerated patching track for internet-facing infrastructure with shorter SLAs, expedited change management, and dedicated testing resources. The goal is deploying critical patches within days, not weeks or months, because ransomware operators begin targeting newly disclosed vulnerabilities within that same timeframe.

Compensating Controls During the Patch Gap

Maintaining compensating controls provides defense-in-depth during the inevitable gap between patch availability and deployment. Network segmentation between the DMZ and internal networks prevents a compromised internet-facing system from providing direct access to the broader environment. Multi-factor authentication on all remote access prevents credential-based access even if an initial exploitation provides credential material. Endpoint detection on internet-facing systems provides rapid alerting when exploitation behavior is detected. Offline backup systems ensure recovery capability if ransomware deployment succeeds despite preventive measures.

Ransomware-Focused Automation

Vulnerability management automation specifically targeted at ransomware defense includes automated detection and alerting for new KEV entries affecting the organization's technology stack, automated ticket creation with emergency SLAs for KEV-matched findings on internet-facing systems, automated compensating control deployment (firewall rule changes, WAF updates) for critical vulnerabilities while patches are being tested, and automated verification scanning after emergency patch deployment. Each automation reduces the response time between vulnerability disclosure and organizational protection, compressing the window that ransomware operators target.

Tabletop exercises simulating ransomware scenarios should test the vulnerability management program's emergency response. The scenario starts with a newly disclosed critical CVE in a VPN appliance used by the organization. How quickly can the team identify affected assets? How fast can emergency patches be deployed? What compensating controls are applied during the patch gap? How is the response communicated to leadership? Testing these processes under simulated pressure reveals gaps that real incidents would expose, providing the opportunity to improve before a real ransomware-relevant CVE demands an emergency response.

Post-incident analysis from ransomware events, whether they occur at the organization or are reported publicly by peer organizations, should feed back into vulnerability management program improvements. Each ransomware incident that exploited a known vulnerability is a case study in what went wrong: was the vulnerability detected? Was it prioritized correctly? Was the remediation timeline achievable? Were compensating controls in place? Learning from both internal and external incidents continuously improves the program's ability to prevent ransomware exploitation through effective vulnerability management.