Ransomware Defenders
Defense Guide

Vulnerability Management Program

Find and fix exploitable weaknesses before ransomware operators do. Build a continuous vulnerability management program with risk-based prioritization.

Unpatched Vulnerabilities Are Ransomware's Front Door

Ransomware operators are not finding zero-day vulnerabilities — they are exploiting known vulnerabilities that organizations have failed to patch. The vast majority of ransomware attacks exploit vulnerabilities for which patches have been available for months or years. The attackers are simply moving faster than defenders.

A mature vulnerability management program closes this gap by continuously discovering, prioritizing, and remediating vulnerabilities before they can be exploited. It is not about fixing everything — it is about fixing the right things first: the vulnerabilities that ransomware groups are actually targeting, on the systems that are most exposed and most critical.

The Patching Gap

The average time for ransomware groups to weaponize a new vulnerability is 15 days from public disclosure. The average enterprise patching time for critical vulnerabilities is 60+ days. This 45-day gap is the attacker's window of opportunity — and it is wide open.

6 Steps to a Vulnerability Management Program

Build a continuous, risk-based vulnerability management program that closes the window of opportunity for ransomware operators.

1

Asset Discovery & Inventory

You cannot protect what you do not know about. Comprehensive asset discovery is the foundation of vulnerability management — every unknown asset is an unmanaged risk.

Key Activities:

  • Deploy automated asset discovery tools that scan your network continuously for connected devices
  • Maintain an up-to-date Configuration Management Database (CMDB) with owner, criticality, and classification for each asset
  • Discover shadow IT: cloud services, SaaS applications, and devices deployed without IT approval
  • Inventory internet-facing assets separately — these are the highest-risk targets for ransomware initial access
  • Map software inventory: operating systems, applications, libraries, and firmware versions across all assets
  • Identify end-of-life (EOL) software and hardware that no longer receives security updates
  • Classify assets by business criticality to prioritize vulnerability remediation efforts
2

Vulnerability Scanning

Implement regular, comprehensive vulnerability scanning that covers your entire attack surface — internal, external, cloud, and application layers.

Key Activities:

  • Deploy authenticated vulnerability scanning on all internal assets at least weekly
  • Run external vulnerability scans against internet-facing assets at least weekly
  • Implement continuous scanning for critical infrastructure and internet-facing systems
  • Scan cloud environments (AWS, Azure, GCP) using cloud-native and third-party scanning tools
  • Include web application scanning (DAST) for internet-facing applications
  • Scan container images in the CI/CD pipeline before deployment to production
  • Conduct credentialed scans where possible — authenticated scans find 2-10x more vulnerabilities than unauthenticated
3

Risk-Based Prioritization

Not all vulnerabilities are equal. Prioritize based on exploitability, business impact, and threat intelligence — not just CVSS score alone.

Key Activities:

  • Use risk-based scoring that combines CVSS base score with exploitability data (EPSS, CISA KEV catalog)
  • Prioritize vulnerabilities with known active exploitation — check the CISA Known Exploited Vulnerabilities (KEV) catalog
  • Factor in asset criticality: a medium vulnerability on a domain controller is higher priority than a high on a test server
  • Track which vulnerabilities ransomware groups actively exploit — this is your highest-priority remediation list
  • Deprioritize vulnerabilities that require local access or complex preconditions with no known exploit code
  • Use the Exploit Prediction Scoring System (EPSS) to estimate the probability of exploitation in the next 30 days
  • Create clear remediation SLAs by priority tier: Critical (24-72 hours), High (7 days), Medium (30 days), Low (90 days)
4

Remediation & Patching

Close vulnerabilities through patching, configuration changes, compensating controls, or risk acceptance with proper documentation.

Key Activities:

  • Implement automated patch deployment for operating systems and common applications (Windows Update, WSUS, SCCM, Intune)
  • Create a patch testing process: test patches in a staging environment before deploying to production
  • Establish emergency patching procedures for actively exploited vulnerabilities (bypass normal change management when needed)
  • Address vulnerabilities that cannot be patched with compensating controls: network segmentation, WAF rules, access restrictions
  • Track and remediate software that is end-of-life and no longer receiving security updates — upgrade or isolate
  • Document risk acceptance decisions with executive approval for vulnerabilities that cannot be remediated
  • Implement automated compliance checking to verify patches were successfully applied across all systems
5

Verification & Validation

Verify that vulnerabilities are actually fixed, not just patched on paper. Conduct validation testing to confirm remediation effectiveness.

Key Activities:

  • Re-scan remediated systems to verify vulnerabilities are resolved — do not close tickets based on patch deployment alone
  • Conduct targeted penetration testing against critical vulnerabilities to validate that exploits no longer succeed
  • Verify compensating controls are functioning as intended through testing, not assumptions
  • Monitor for vulnerability regression: systems reverting to vulnerable states after reimaging, reprovisioning, or configuration drift
  • Validate that patch deployment reached all instances — check for missed systems, failed deployments, and exceptions
  • Test web application fixes with manual security testing in addition to automated scanning
6

Continuous Improvement & Reporting

Track vulnerability management metrics, report to leadership, and continuously improve your program based on data and evolving threats.

Key Activities:

  • Track key metrics: mean time to remediate (MTTR) by severity, vulnerability backlog size, SLA compliance rates
  • Monitor scan coverage: what percentage of assets are being scanned regularly? Target 100%
  • Report monthly to security leadership: top risks, remediation progress, SLA compliance, and trend analysis
  • Benchmark your program against industry peers using frameworks like NIST CSF and CIS Controls
  • Integrate vulnerability data with threat intelligence to prioritize emerging threats
  • Review and update scanning policies, prioritization criteria, and SLAs annually
  • Automate vulnerability management workflows: scanning, ticket creation, assignment, and follow-up

Vulnerability Scanning Approaches

Use multiple scanning approaches to achieve comprehensive coverage across your attack surface.

Agent-Based Scanning

Lightweight agents installed on endpoints that continuously assess vulnerability status and report to a central management console.

Advantages:

Continuous monitoring, works for remote/roaming devices, no network scanning overhead

Considerations:

Requires agent deployment and management, may conflict with other agents, OS compatibility

Best For:

Laptops, remote workers, and devices that are not always on the corporate network

Network-Based Scanning

Centralized scanner appliances that probe systems across the network to identify vulnerabilities remotely.

Advantages:

No agent required, can scan any network-accessible device, good for discovery

Considerations:

Point-in-time snapshots, may miss devices not on the network, authenticated scans require credentials

Best For:

Internal network infrastructure, servers, and network devices

External Attack Surface Management (EASM)

Continuous discovery and assessment of internet-facing assets and their vulnerabilities from an external perspective.

Advantages:

Attacker's-eye view, discovers unknown internet-facing assets, continuous monitoring

Considerations:

Limited to externally visible vulnerabilities, may not cover all assets

Best For:

Internet-facing assets — the primary entry point for ransomware initial access

Application Security Testing (DAST/SAST)

Dynamic (DAST) and static (SAST) analysis of web applications and code to identify application-level vulnerabilities.

Advantages:

Catches application-specific vulnerabilities that infrastructure scanning misses

Considerations:

Requires specialized tools and expertise, high false positive rates in SAST

Best For:

Custom web applications, APIs, and software development teams

Vulnerabilities Ransomware Groups Exploit

Prioritize remediation of these vulnerability categories that ransomware operators actively target in real-world attacks.

Remote Access

  • VPN appliance vulnerabilities (Fortinet, Pulse Secure, Citrix) — primary initial access for ransomware in 2024-2026
  • RDP exposed to the internet — still one of the top initial access vectors despite being well-known
  • Remote management tools (ConnectWise ScreenConnect, Kaseya) — supply chain targets for mass deployment
  • Unpatched web servers and web applications (Exchange, SharePoint, Confluence) with RCE vulnerabilities
  • Exposed management interfaces (firewalls, routers, hypervisors) with default or weak credentials

Privilege Escalation

  • Active Directory privilege escalation (ZeroLogon, PrintNightmare, PetitPotam, ESC vulnerabilities)
  • Local privilege escalation in Windows (kernel exploits, service misconfigurations)
  • Misconfigured Group Policy Objects that grant unintended administrative access
  • Service accounts with excessive privileges and weak or non-rotating passwords
  • Unpatched domain controllers running vulnerable services (LDAP signing, NTLM relay)

Defense Evasion

  • Vulnerable kernel drivers used to kill EDR/AV processes (Bring Your Own Vulnerable Driver / BYOVD)
  • Outdated antivirus signatures and disabled real-time protection
  • Missing or misconfigured Windows Defender exclusions that create security gaps
  • Unpatched LOLBin-capable applications that attackers can abuse for code execution
  • PowerShell execution policies not enforced — allowing unrestricted script execution

Relevant Standards & Resources

CISA Known Exploited Vulnerabilities (KEV) Catalog

Authoritative list of vulnerabilities being actively exploited — patch these first, no exceptions

CIS Controls v8 — Control 7: Continuous Vulnerability Management

Prescriptive guidance for building and maintaining a vulnerability management program

EPSS (Exploit Prediction Scoring System)

Data-driven model estimating the probability of exploitation in the next 30 days — superior to CVSS alone for prioritization

NIST SP 800-40 Rev. 4

Guide to Enterprise Patch Management Planning — best practices for operationalizing patch management

Frequently Asked Questions

Close Your Vulnerability Gaps

Our security team can assess your vulnerability management maturity, implement scanning infrastructure, and help you prioritize what matters most.