By Mackenzie Gryder, with Ben Taylor
This blog is part of Gate 15’s Summer of Security: Ransomware Resilience Series, highlighting the essential considerations for organizational leaders and cybersecurity professionals.
While zero-day exploits tend to make headlines for their novelty and potential severity, most ransomware campaigns continue to rely on known vulnerabilities that organizations have failed to patch. Recent reporting shows that attackers still take advantage of long-standing flaws in widely deployed systems, underscoring how patch management remains a critical line of defense.
CISA’s Known Exploited Vulnerabilities (KEV) catalog highlights persistent points of vulnerability and provides organizations with actionable intelligence to prioritize remediation. This guidance is critical because, unlike zero-day vulnerabilities which defenders can only address after discovery and the development of mitigations, known exploits can be proactively patched. High-profile cases, such as the exploitation of theLog4Shell vulnerability and the recent abuse of CLFS zero-day to deliver ransomware, illustrate how both known and unknown vulnerabilities can drive significant attacks. The KEV catalog identifies which vulnerabilities are known to be used in ransomware campaigns, offering organizations crucial insight for prioritizing patching efforts that directly recue the risk of ransomware infection. Leveraging this resource is therefore essential for reducing exposure while preparing to respond rapidly to emerging zero-day threats.
Why Patching Matters:
Patching matters in part because it can mitigate the threat from attackers that don’t want to invent new tricks but rather more easily leverage known vulnerabilities that many organizations leave unresolved. Patching is one component of a larger organizational Vulnerability Management Program and failure to patch can lead to exploitation of vulnerabilities resulting in data breaches and other compromises. Threat actors easily leverage available tools to routinely scan networks for known vulnerabilities that have already been disclosed and patched by vendors knowing many organizations delay applying those fixes.
Ransomware actors often weaponize CVE-listed vulnerabilities that have been publicly documented. According to CISA, in 2022 “malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems”, and a 2025 TechTarget survey showed that 32% of cyberattacks exploit unpatched software vulnerabilities.
In some cases, there’s a window between release of a patch and the first known exploit, giving defenders some time to respond. Yet, without a consistent patch management process – to include the ability to execute out-of-band updates for higher risk concerns – organizations remain vulnerable. GreyNoise’s annual Mass Internet Exploitation Report indicated that 40% of the vulnerabilities exploited in 2024 were at least four years old, prompting a call from the researchers to take “immediate, concrete steps to address these persistent threats since attackers are successfully monetizing both legacy and new vulnerabilities through sophisticated automation.”
Vulnerable software is a hackers love language:
WannaCry spread by exploiting the EternalBlue vulnerability in Windows SMBv1, a flaw for which Microsoft had already released a patch in March 2017. However, many organizations either did not apply the patch or were running unsupported versions of Windows, leaving them vulnerable. The ensuing ransomware attack in 2017 infected over 300,000 computers across 150 countries, resulting in billions of dollars in damage. The incident demonstrated the importance of preparing for blended threats, as the UK’s National Health Service was among the organizations impacted, resulting in thousands of cancelled appointments and disruption to critical services. This is a reminder, when patches exist, failing to apply them can lead to catastrophic consequences.
In May 2023, a zero-day SQL injection vulnerability in MOVEit Transfer, a widely adopted file transfer solution was exploited by the Clop ransomware gang to steal data on an unprecedented scale. The exploit allowed mass exfiltration of sensitive data from over 2,700 organizations, impacting an estimated 93 million individuals. Although Progress Software released a patch in late May and CISA issued an urgent advisory, Clop had already executed a broad “smash-and-grab” campaign. This breach illustrates how in zero-day scenarios, defenders must pivot almost immediately once a patch becomes available, as adversaries exploit such vulnerabilities at lightning speed.
An Ounce of Prevention is Worth a Pound of Cure:
The cost of not patching refers to significant risks and consequences that organizations and individuals face when they fail to apply software updates or security patches in a timely manner. These costs can be both direct and indirect, and they often far exceed the effort and resources required to implement patches.
Security Risks:
- Increased Vulnerability: Unpatched systems and are easy targets for cybercriminals especially when vulnerabilities are publicly disclosed.
- Exploitation by Ransomware: Several major ransomware attacks exploited known vulnerabilities where patches were already available.
- Data Breaches: Hackers can gain unauthorized access to sensitive data, leading to leaks, identity theft, or espionage.
Barriers to Timely Patching:
Operational Challenges:
- Downtime concerns and inability to take critical systems offline
- Change-freeze periods delaying updates
- Dependencies on legacy systems that risk breaking compatibility
- Resource limitations: staffing shortages, budget constraints, skill gaps
- Competing priorities for IT and security teams without adequate support
Technical Challenges:
- Patch conflicts causing deployment issues
- Insufficient testing environments for updates
- Vendor delays affecting timely patch release
- Complex or integrated systems complicating patching
- Visibility issues: incomplete asset inventories, alert fatigue, underestimating vulnerability severity
Awareness Challenges:
- Underestimating the severity of impact of certain vulnerabilities
- Lack of timely communication about critical updates
Cultural/Process Challenges:
- Absence of a formal patch management policy
- Siloed communication between departments
- Patching treated as ad-hoc or low-priority rather than structures, security-focused practice
Patching Best Practices:
- Build a formal patching policy
- Define timelines, assign ownership, document exceptions and escalation procedures.
- Maintain an accurate asset inventory
- Know what systems, applications, and devices you have.
- Prioritize patches based on risk
- Use threat intelligence and vulnerability severity
- Test before deployment
- Use staging or sandbox environments to test patches before production rollout and validate that patches don’t break critical applications, integrations, or configurations.
- Establish regular patch cycles
- Align with monthly vendor patches and standardize maintenance windows.
- Communicate with stakeholders
- Provide clear schedules and expected downtime and ensure management approval when required.
- Document and continuously improve
- Keep detailed logs of what was patched, when, and by whom. As well as use post-patch reviews to identify gaps.
Ransomware doesn’t need to be innovative to be effective. Time and time again, attackers take advantage of unpatched systems, leveraging vulnerabilities that defenders have already warned about. Patching is not optional; it’s a foundational element of resilience. By building a structured patch management process, maintaining asset visibility, and embedding patching into routine operations, organizations can drastically reduce their exposure to ransomware and other cyber threats. The cost of patching may involve planning, resources, and temporary inconvenience, but compared to the financial, operational, and reputational devastation of an attack, it’s a small price to pay. In the end, patching is about closing the door before adversaries ever have a chance to walk in.
Insights from our Weekly Ransomware Report.
Each week we publish our Weekly Ransomware Report (along with other all-hazards reports) through Gate 15’s Resilience and Intelligence Portal (GRIP). Contact us if you are interested in receiving the full report. Highlights from this week include:
- Most Active Threat Actors (victim number): Safepay (9), Warlock (6), and Play (5).
- Ransomware gang takedowns causing explosion of new, smaller groups.
- 25% of security leaders replaced after ransomware attack
Coming Up Next: “Back It Up or Lose It: Data Recovery Strategies That Work.” Reliable, tested backups are often the last line of defense—without them, victims face paying the ransom or losing critical data permanently. Organizations should review backup strategies, such as frequency, redundancy, and testing, to minimize downtime and data loss after an attack.
Gate 15 has worked across the Critical Infrastructure environment to develop cybersecurity plans and tabletop exercises for trade associations and owner/operators. We are pleased to offer 10% off ransomware exercises to new clients that are booked before 30 September 2025. Send out an email and mention this blog, and let’s discuss how to boost your organizational resilience together.
Join the GRIP! Stay informed of what’s new in all-hazards homeland security by joining the Gate 15’s Resilience and Intelligence Portal (GRIP). Join the GRIP! and join us in securing America’s people, places, data, and dollars. To join the GRIP, click the link above or here, scroll down and select the “Join the Grip!” button, or email our team at Gate15@Gate15.global.
Gate 15: Technology-enhanced, human-driven, homeland security risk management.
Understand the Threats.
Assess the Risks.
Take Action.