A prominent senator is calling for federal regulators to investigate Microsoft over “gross cybersecurity negligence” he said enabled last year’s massive cyberattack on Ascension, which compromised the personal information of 5.6 million individuals and interrupted IT services.
Ron Wyden, D-Ore., who is the ranking member of the Senate Committee on Finance, penned a letter Wednesday to the Federal Trade Commission (FTC) critical of the default configurations of Microsoft’s Windows operating system and other related products, calling it "dangerous, insecure software."
With Windows’s near-ubiquitous adoption among businesses and government agencies, the default security features it chooses to implement have an outsized impact in heading off ransomware attacks against critical infrastructure “including U.S. healthcare organizations," Wyden wrote.
The senator illustrates his point by detailing the circumstances around Ascension’s ransomware attack, into which his office had conducted oversight. The nonprofit system is among the country’s largest with more than 120 hospitals, and it faced weeks of downtime procedures and months of volume and revenue cycle disruptions due to the breach detected in May 2024.
Ascension told Wyden’s team that, in February 2024, a contractor on an Ascension laptop had clicked on a malicious link surfaced by Bing, Microsoft’s search engine and the default search engine of its Edge web browser. Malware that infected the contractor’s laptop gave the attackers network access to the system’s organizationwide user account directory. They gained privileged access to accounts on that directory by exploiting a technique called “Kerberoasting” and pushed their ransomware to thousands of other Ascension computers.
Kerberoasting, Wyden’s letter explains, exploits a decades-old encryption technology called RC4 that Microsoft and other cybersecurity authorities warn organizations against but still supported by default. Microsoft, at the urging of Wyden’s office, had published a blog post outlining the threat and promising a software update to disable RC4 in October 2024, but has yet to deploy that update. The company more recently published “a highly technical blog post on an obscure area of the company’s website” and has declined to explicitly warn customers of the vulnerability.
“The Ascension hack illustrates how it is Microsoft’s customers, and, ultimately, the public, who bear the cost of Microsoft’s dangerous software engineering practices and the company’s refusal to inform its customers about the pressing need to adopt important cybersecurity safeguards,” the letter reads.
Microsoft, in a statement given to Fierce Healthcare, affirmed that it discourages the use of RC4 and said the old standard “makes up less than .1% of our traffic.”
“However, disabling its use completely would break many customer systems,” the statement reads. “For this reason, we’re on a path to gradually reduce the extent to which customers can use it, while providing strong warnings against it and advice for using it in the safest ways possible.”
Microsoft said it’s been in talks with Wyden’s office on the issue and, beginning in the first quarter of 2026, will disable RC4 by default in new installations of Active Directory Domains using Windows Server 2025. The company also plans “to include additional mitigations for existing in-market deployments” with compatibility in mind.
Still, Wyden said the Kerberoasting exploit that led to Ascension’s breach is just one example of “Microsoft’s culture of negligent cybersecurity.” The letter pointed to other incidents in 2023 and this year in which government agencies and corporate customers were compromised by Chinese government-linked hackers due to vulnerabilities in Microsoft software.
“There is one company benefiting from this status quo: Microsoft itself,” Wyden wrote. “Instead of delivering secure software to its customers, Microsoft has built a multibillion-dollar secondary business selling cybersecurity add-on services to those organizations that can afford it. At this point, Microsoft has become like an arsonist selling firefighting services to their victims.”
Wyden’s letter asks the FTC to investigate Microsoft’s role in facilitating the attacks and hold it responsible “for the serious harm it has caused.”