Ransomware Prevention Through Web Security

When people think about ransomware, they picture phishing emails or employees clicking bad links. That is one entry point, but it is not the only one. Your company website, especially if it runs on a CMS like WordPress, Joomla, or a custom web application with outdated dependencies, can serve as the front door for a ransomware attack.

This is not a theoretical concern. We have seen it happen to SMEs in Ticino, across Switzerland, and throughout Europe. A compromised website gives attackers a foothold on your server. From there, they can pivot into your internal network, escalate privileges, exfiltrate data, and deploy ransomware that encrypts everything.

How Attackers Get In Through Your Website

A website is a publicly accessible application running on a server that is connected to the internet 24/7. If it has a vulnerability, it will be found. Automated scanners sweep the internet continuously, testing millions of sites for known exploits.

Common Web Application Attack Vectors

1. Unpatched CMS and Plugins

This is the most frequent entry point. WordPress alone powers over 40% of websites, and its plugin ecosystem is a constant source of vulnerabilities. When a security patch is released, attackers reverse-engineer it within hours to create exploits for unpatched sites.

A single outdated plugin can give an attacker the ability to upload a web shell: a small script that provides remote command execution on your server. Once they have a shell, they effectively own the server. Read more about this in our article on WordPress vulnerabilities.

2. SQL Injection

SQL injection lets attackers interact directly with your database. They can extract credentials, customer data, and administrative access. In some configurations, SQL injection can be escalated to command execution on the operating system through features like xp_cmdshell in MSSQL or INTO OUTFILE in MySQL.

3. File Upload Vulnerabilities

If your website accepts file uploads (profile pictures, documents, contact form attachments) and does not properly validate them, an attacker can upload executable code. A PHP file disguised as a JPEG, for instance, can give full server access.

4. Remote Code Execution (RCE)

Some vulnerabilities allow direct code execution without any authentication. These are the most dangerous. Recent examples include Log4Shell (CVE-2021-44228), which affected Java-based applications, and various PHP deserialization vulnerabilities that have hit frameworks like Laravel and Symfony.

5. Stolen Credentials

Weak passwords, reused credentials, or credentials exposed in data breaches can give attackers direct access to your CMS admin panel, hosting control panel (cPanel, Plesk), or SSH. From there, the path to ransomware deployment is short.

From Web Shell to Ransomware: Lateral Movement

Getting access to a web server is step one. The real damage happens when attackers move laterally from that server into the rest of your network. Here is how that progression typically works:

Step 1: Initial Access

The attacker exploits a vulnerability in your website and uploads a web shell or establishes a reverse shell connection. They now have command-line access to your web server.

Step 2: Reconnaissance

From the web server, the attacker surveys the environment:

Network configuration: what other systems are reachable?
Stored credentials: database passwords in configuration files, SSH keys, API tokens
Running services: what else is on this server or on the same network?
User accounts: who has access, and what are their privilege levels?

Step 3: Privilege Escalation

Web servers typically run as a limited user (e.g., www-data or apache). Attackers use local exploits to escalate to root/administrator. Unpatched operating systems make this easier than it should be.

Step 4: Lateral Movement

With elevated privileges, the attacker moves to other systems on the network. Common techniques include:

Using discovered credentials to access other servers via SSH or RDP
Exploiting trust relationships between systems
Leveraging shared network drives
Attacking Active Directory if the server is domain-joined
Pivoting through VPN connections found on the server

Step 5: Data Exfiltration

Before encrypting anything, modern ransomware groups steal your data. This enables "double extortion": pay the ransom or we publish your sensitive data. They quietly copy customer databases, financial records, employee information, and intellectual property to their servers.

Step 6: Ransomware Deployment

Once the attackers have spread through the network and exfiltrated valuable data, they deploy ransomware simultaneously across all compromised systems. Backup servers are targeted first. Then the encryption begins, and you see the ransom note.

Real Ransomware Cases Targeting SMEs

Ransomware is not just a big-enterprise problem. SMEs are disproportionately targeted because they tend to have weaker defenses and are more likely to pay.

Case 1: Swiss Manufacturing Company

A manufacturing company in the German-speaking part of Switzerland had their WordPress site compromised through an outdated contact form plugin. The attackers used the web server as a pivot point to access the company's file server, which was on the same network with no segmentation. Total downtime: 3 weeks. Cost: estimated at CHF 400,000 between ransom payment, recovery, lost production, and reputational damage.

Case 2: Italian Professional Services Firm

A law firm in Northern Italy had their Joomla website running on the same server as their document management system. SQL injection gave the attackers database access, from which they extracted credentials that were reused for the DMS. Client files were encrypted and exfiltrated. The firm faced both the ransom demand and potential GDPR penalties for the data breach.

Case 3: E-Commerce Site in Ticino

A small online retailer in Ticino ran a WooCommerce shop with several outdated plugins. Attackers exploited a known vulnerability in a payment gateway plugin, gained server access, and moved to the company's internal ERP system through a VPN connection configured on the same server. The entire business was offline for 10 days.

Cost Analysis: What Ransomware Actually Costs

The ransom payment itself is often the smallest cost. Here is a breakdown of the real financial impact:

Cost Category	Typical Range (SME)	Notes
Ransom payment	CHF 10,000 - 500,000	Paying does not guarantee data recovery
Business downtime	CHF 5,000 - 50,000/day	Average downtime: 21 days
Incident response	CHF 20,000 - 100,000	Forensics, remediation, consulting
Data recovery	CHF 10,000 - 50,000	Even with backups, recovery takes time
Legal and compliance	CHF 5,000 - 100,000	GDPR/nDSG breach notification, legal counsel
Reputational damage	Difficult to quantify	Customer churn, lost deals, negative press
Security improvements	CHF 20,000 - 100,000	Post-incident hardening that should have been done before

A conservative total for an SME ransomware incident: CHF 100,000 to 500,000. For many small businesses, this is an existential threat. Studies show that 60% of small businesses close within six months of a major cyber attack.

Backup Strategies That Actually Work

Backups are your last line of defense against ransomware. But not all backup strategies are created equal. Attackers know that backups exist, and they specifically target backup systems during an attack.

The 3-2-1 Rule

The minimum viable backup strategy:

3 copies of your data
2 different storage media
1 copy offsite (or offline)

Immutable Backups

Modern ransomware specifically targets backup files. If your backups are on a network share that the ransomware can access, they will be encrypted too. Immutable backups cannot be modified or deleted for a defined retention period. Cloud providers like AWS (S3 Object Lock), Azure (immutable blob storage), and Backblaze B2 offer this capability.

Offline/Air-Gapped Backups

The most secure backup is one that is physically disconnected from any network. A rotating set of external hard drives or tape backups stored in a safe provides ransomware-proof recovery. The downside: it requires manual process and discipline.

Test Your Restores

A backup that you have never tested is not a backup. It is a hope. Schedule quarterly restore tests. Verify that:

Backup files are not corrupted
You can actually restore to a functional state
The restoration process is documented and someone knows how to execute it
The restore time meets your business requirements (RTO)
The data loss window is acceptable (RPO)

Incident Response: What to Do When It Happens

Having a plan before you need it makes the difference between a managed incident and total chaos.

Immediate Actions (First 2 Hours)

Isolate affected systems: Disconnect compromised machines from the network immediately. Do not shut them down (this can destroy forensic evidence), but pull the network cable or disable the WiFi.
Assess the scope: Which systems are affected? Is the encryption still spreading?
Preserve evidence: Do not wipe or rebuild anything yet. Forensic investigation requires the original state.
Notify leadership: The incident response team and management need to know immediately.

Short-Term Actions (First 24 Hours)

Engage incident response professionals: Unless you have an in-house security team, bring in external experts.
Identify the ransomware variant: This determines whether free decryptors are available and how the attack likely occurred.
Notify authorities: In Switzerland, report to the NCSC (National Cyber Security Centre). If personal data was affected, the FDPIC must be notified.
Assess backup viability: Are your backups intact? Were they also compromised?
Communication plan: Prepare statements for employees, customers, and partners.

Should You Pay the Ransom?

Law enforcement and security professionals generally advise against paying. Reasons:

Payment does not guarantee you will get your data back (about 20% of those who pay do not receive a working decryptor)
It funds criminal organizations and encourages more attacks
You may be targeted again because you are known to pay
There may be legal implications depending on who you are paying (sanctioned entities)

That said, each situation is different. If your business survival depends on it and you have no viable backups, the decision is ultimately yours. Document everything.

Why Patching Matters

Most web-based ransomware entry points exploit known vulnerabilities with available patches. The gap between a patch being released and an exploit being deployed in the wild is shrinking. For critical vulnerabilities, it can be as short as 24-48 hours.

A Practical Patching Strategy

Critical patches: Apply within 24 hours of release. Yes, this means having a process that allows emergency updates.
High patches: Apply within 1 week.
Medium/Low patches: Apply within the regular maintenance window (monthly).
Automatic updates: Enable for CMS core and security plugins where possible. The risk of a bad update is lower than the risk of remaining unpatched.

What to Patch

CMS core (WordPress, Joomla, Drupal)
All plugins and themes
Server operating system
Web server software (Apache, Nginx)
Programming language runtimes (PHP, Node.js, Python)
Database software (MySQL, PostgreSQL)
SSL/TLS libraries (OpenSSL)

Network Segmentation: Containing the Blast Radius

If an attacker compromises your web server, network segmentation determines whether they can reach anything else. Without segmentation, a single compromised server gives access to everything on the same network.

Minimum Segmentation for SMEs

DMZ: Web servers and public-facing services in a demilitarized zone, isolated from internal networks.
Internal network: Workstations and internal services, separated from the DMZ.
Server network: Internal servers (file server, ERP, database) in their own segment.
Backup network: Backup systems isolated from all other segments, with strict access controls.

Firewall Rules

The web server should only be able to communicate with what it absolutely needs:

Its own database (and nothing else on the database server)
Outbound HTTP/HTTPS for updates (if needed)
Outbound SMTP for transactional emails (if needed)
Nothing else. No access to file servers, Active Directory, internal applications, or backup systems.

This single measure would have prevented the lateral movement in all three cases described above.

Prevention Checklist

Use this checklist to evaluate your ransomware readiness. Each item directly reduces your attack surface or limits the damage of a successful attack.

Web Application Security

CMS and all plugins/themes are up to date
Web application firewall (WAF) in place
File upload validation enforced
Input validation and output encoding implemented
Admin interfaces restricted by IP or VPN
Strong, unique passwords with MFA for all admin accounts
Regular security scans and vulnerability assessments

Server Security

Operating system patched and up to date
Unnecessary services disabled
SSH key-based authentication (password login disabled)
Firewall configured with deny-all default
File integrity monitoring enabled
Log aggregation and monitoring in place

Network Security

Web server in DMZ, isolated from internal network
Firewall rules restrict lateral movement
VPN access requires MFA
Internal network segmented by function

Backup and Recovery

3-2-1 backup rule followed
At least one backup is immutable or offline
Backup restoration tested quarterly
RTO and RPO defined and achievable
Incident response plan documented and rehearsed

Get Help Before It Is Too Late

Ransomware prevention is cheaper than ransomware recovery. Every single time. If you are unsure about the security posture of your website and infrastructure, get a professional assessment before an attacker does their own assessment.

For more on building a comprehensive security strategy, read our cybersecurity guide for SMEs. And if you want to evaluate your current security posture, contact our team for a thorough assessment.