Ransomware Prevention Through Vulnerability Management

Written by ExposIQ | March 18, 2026

Ransomware is the greatest cyber threat facing Swiss SMEs. The damage ranges from days of business downtime to ransom payments and complete data loss. Yet a widespread misconception persists: many companies believe that ransomware groups deploy highly sophisticated zero-day exploits that are nearly impossible to defend against. The reality is different — and it is both alarming and encouraging at the same time.

Ransomware Exploits Known Vulnerabilities

The vast majority of ransomware attacks are not based on zero-day vulnerabilities but on long-known and documented security flaws for which patches are available. Studies show that over 80 per cent of successful ransomware attacks exploit vulnerabilities that have been known for months or even years.

This means: most of these attacks could have been prevented. Not through expensive new technology, but through consistent vulnerability management.

The Swiss National Cyber Security Centre (NCSC, now BACS) recorded a steady stream of ransomware reports in 2023 and 2024, particularly from SMEs. The most common entry vectors are alarmingly predictable.

The Most Common Entry Points for Ransomware

1. VPN Gateways and Remote Access Appliances

VPN appliances from Fortinet, Citrix, Ivanti, and Pulse Secure are among the most popular targets of ransomware groups. The reason is simple: these devices sit directly on the internet and, when successfully exploited, immediately grant access to the internal network.

Some of the most devastating vulnerabilities in recent years affected precisely these systems:

  • Fortinet FortiOS (CVE-2023-27997, CVE-2024-21762): Critical vulnerabilities in FortiGate firewalls that were actively exploited by ransomware groups
  • Citrix NetScaler/ADC (CVE-2023-4966 “Citrix Bleed”): Enabled the theft of session tokens and was massively exploited by the LockBit group
  • Ivanti Connect Secure (CVE-2024-21887, CVE-2023-46805): Authentication bypass and command injection, used for initial access to corporate networks

The insidious part: many SMEs run these devices without knowing which firmware version is installed or whether known vulnerabilities are affected. The appliance “just works” — and that is precisely the problem.

2. Remote Desktop Protocol (RDP)

Exposed RDP remains one of the most common ransomware entry vectors. Attackers either use brute-force attacks against weak passwords or exploit known RDP vulnerabilities such as BlueKeep (CVE-2019-0708). Any system with RDP port 3389 directly reachable from the internet is found by automated scanners within hours.

3. Microsoft Exchange Server

On-premise Exchange servers have been a preferred target in recent years. The ProxyShell and ProxyLogon vulnerabilities (CVE-2021-26855 and related) enabled remote code execution without authentication. Many SMEs still operate Exchange servers that are not fully patched.

4. Outdated Web Applications and CMS

WordPress installations with outdated plugins, Joomla systems, or custom-built web applications with SQL injection vulnerabilities also provide entry points. Through a compromised web application, an attacker can often access the underlying server and move laterally into the network from there.

Why Backup Alone Is Not Prevention

“We have backups, so we’re protected.” This statement comes up in almost every SME conversation about ransomware. And it is fundamentally wrong.

Backups are an important part of recovery strategy, but they do not prevent an attack. Modern ransomware groups have evolved their tactics:

  • Double extortion: Before encrypting data, it is exfiltrated. Even if you restore from backup, the attackers threaten to publish sensitive data.
  • Backup destruction: Professional ransomware groups specifically seek out backup systems and delete or encrypt them first. If your backups reside on the same network, they are affected too.
  • Extended dwell time: Attackers often spend weeks inside the network before striking. During this time, they understand your infrastructure, identify critical systems, and prepare for maximum damage.
  • Business disruption: Even with perfect backups, restoration takes days to weeks. The business interruption often costs more than the ransom itself.

Prevention — stopping the initial access — is superior to any reactive measure. And this is exactly where vulnerability management comes in.

Continuous Scanning as a Prevention Strategy

Vulnerability management reduces the attack surface before an attacker can exploit it. The process is clear:

  1. Establish visibility: You can only protect what you know about. A comprehensive scan of your external and internal systems reveals your actual attack surface.
  2. Identify vulnerabilities: Automated scanners check your systems against databases containing over 64’000 known CVEs and detect outdated software, misconfigurations, and exposed services.
  3. Prioritise risks: Not every vulnerability is equally dangerous. EPSS scores (Exploit Prediction Scoring System) show which vulnerabilities are actively being exploited. The CISA KEV catalogue (Known Exploited Vulnerabilities) lists vulnerabilities that have been proven to be exploited in the wild.
  4. Remediate strategically: With prioritised results, you can deploy your limited resources where the risk is highest.
  5. Repeat continuously: New vulnerabilities are published daily. A one-time scan is a snapshot — only regular scanning provides sustained protection.

Targeted Checks for VPN Gateways

Since VPN appliances are among the most critical entry points, they deserve special attention. But this is precisely where the challenge lies: many vulnerability scanners detect open ports but cannot reliably determine the specific firmware version of a Fortinet or Ivanti appliance.

ExposIQ solves this problem with a specialised approach: 28 different login paths for common VPN and remote access products are specifically tested, combined with thousands of Nuclei templates that check for specific vulnerabilities in these products. This way, not only open ports are detected but the actual vulnerability status of the appliance is determined.

Implementing NCSC Recommendations

The Federal Office for Cyber Security (BACS, formerly NCSC) explicitly recommends regular vulnerability scans as a cornerstone of cyber defence for Swiss companies. The specific recommendations include:

  • Regular updates of all systems and applications
  • Reducing the attack surface by disabling unnecessary services
  • Network segmentation to contain lateral movement
  • Multi-factor authentication for all remote access
  • Continuous monitoring of your own infrastructure

All of these recommendations presuppose that you know which systems are running on your network and which vulnerabilities exist. Without vulnerability management, you are operating blind.

The Pragmatic Approach for SMEs

Ransomware prevention does not require a million-franc budget. A pragmatic approach for SMEs looks like this:

  1. Immediately: Check whether RDP ports or VPN admin interfaces are directly reachable from the internet
  2. Short term: Ensure your VPN appliances are running the latest firmware
  3. Medium term: Implement regular vulnerability scans to identify new risks early
  4. Ongoing: Establish a process for timely patching of critical vulnerabilities

ExposIQ supports Swiss SMEs with exactly this approach. With over 35 scan engines, 64’000 CVEs, and specialised checks for VPN gateways, the platform covers the most common ransomware entry vectors. Hosted in Switzerland, nDSG-compliant, and available from CHF 99 per month. Because prevention is always cheaper than recovery: exposiq.ch

ExposIQ is the Swiss platform for automated vulnerability management. We help SMEs and IT service providers identify and remediate vulnerabilities – securely, clearly, and nDSG-compliant.

Zürich, Schweiz

info@exposiq.ch
+41 43 200 02 52

Company

About us Contact Blog
 Privacy Policy Terms of Use

Newsletter

Copyright © ExposIQ Switzerland 2026. All rights reserved.