Ransomware gangs do not break in through some exotic zero-day most of the time. They walk through the front door because someone left it ajar. A VPN appliance running last year’s firmware, a remote desktop port open to the internet, an old webmail portal nobody remembers commissioning. These are the entry points that turn up again and again in incident reports, and they are almost always visible from outside the network long before the attackers ever touch a keyboard or write a single line of malicious code.
The usual suspects
Attackers scan the internet constantly, cataloguing which companies run which software and which versions, building databases of exposed infrastructure long before they pick a specific target. When a new vulnerability is published for a VPN gateway or a mail server, they already know which of your IP addresses are running it. There is no need to guess. Remote access tools are the biggest culprit, closely followed by exposed admin panels, unpatched web servers, and login pages with no lockout policy protecting them against automated guessing running around the clock.
This is precisely why an external network pen testing engagement matters so much before a criminal group finds these gaps first. A tester approaches your perimeter the same way an attacker would, mapping every exposed service, checking versions against known flaws, and attempting the same logins a bot would try at three in the morning. The difference is that you get a detailed report with a remediation plan attached to it, instead of a ransom note and a business standing still.

What gets missed and why
Most of these weaknesses persist not through carelessness but through drift, the slow accumulation of small, reasonable decisions that nobody ever circles back to review. A firewall rule opened for a contractor two years ago never got closed. A test server went live and stayed live long after the project it supported was finished. IT teams are stretched thin, patching cycles slip behind the calendar, and nobody schedules time to ask what the company actually looks like from the outside, because there is always something more urgent competing for the same afternoon.
William Fieldhouse has watched this pattern repeat across dozens of engagements, in businesses of every size and sector.
“I’ve lost count of the times we’ve found a forgotten remote access portal still running credentials from a departed employee, sitting there for months with nobody the wiser. It is never the systems people are actively watching that cause the breach, it’s the ones they stopped thinking about years ago and simply left running.”
— William Fieldhouse, Director of Aardwolf Security Ltd
That observation matches what shows up time and again once testing actually starts properly. The systems everyone assumes are locked down usually turn out fine, because someone is still paying attention to them. It is the quiet, half-forgotten service running in the background that opens the door, precisely because nobody has looked at it since the day it went live, sometimes years earlier.
Close the gap before someone else finds it
Regular external testing paired with ongoing vulnerability scan services gives you a running inventory of what is actually exposed, rather than what you assume is exposed based on a spreadsheet nobody has updated recently. Ransomware crews rely on businesses not looking at their own perimeter often enough, betting that the gap between assumption and reality will stay wide enough to walk through. Prove them wrong, get a clear picture of your front door, and fix what needs fixing before it becomes an incident report with your company’s name attached to it.
