A U.S. senator has directed attention towards Microsoft, attributing the tech giant’s technology to a significant ransomware attack that impacted Ascension Health, a leading Catholic healthcare provider, last year. Democratic Senator Ron Wyden has formally requested an investigation by the Federal Trade Commission (FTC) into Microsoft’s role in the incident, alleging “gross cybersecurity negligence” that has contributed to a series of ransomware breaches affecting critical infrastructure across the nation.
In a detailed letter to the FTC, Wyden outlined findings from his office’s investigation into the 2024 ransomware attack on Ascension. The inquiry revealed that hackers employed a method known as “Kerberoasting” to infiltrate privileged accounts on Ascension’s Microsoft Active Directory server. Wyden highlighted that this hacking technique exploits Microsoft’s ongoing support for an outdated encryption standard, RC4, which has been criticized by federal agencies and cybersecurity experts for over a decade due to its vulnerabilities.
“Although Microsoft’s software does support a more secure encryption technology, the Advanced Encryption Standard (AES), this superior option is not set as the default in Windows,” Wyden noted in his correspondence. He elaborated that the reliance on RC4 encryption exposes customers to ransomware and other cyber threats, enabling hackers who gain access to any corporate network computer to compromise the passwords of privileged accounts used by administrators.
In response to Wyden’s claims, a Microsoft spokesperson acknowledged that RC4 is indeed an outdated standard that the company advises against using. However, they argued that disabling it outright could disrupt many customer systems, as it constitutes less than 0.1% of the company’s traffic. “We’re on a path to gradually reduce the extent to which customers can use it, while providing strong warnings and guidance for safe usage,” the spokesperson stated. They also mentioned plans to disable RC4 by default in new installations of Active Directory Domains using Windows Server 2025 by the first quarter of 2026.
Wyden’s letter pointed out that Microsoft believes the risk of Kerberoasting can be mitigated by implementing long passwords exceeding 14 characters. However, he criticized the company for its lack of proactive communication, stating that Microsoft opted to publish a technical blog post in an obscure section of its website rather than issuing a clear warning to customers about their vulnerability to the Kerberoasting technique unless they altered the default settings.
Furthermore, Wyden referenced guidance issued by multiple U.S. agencies regarding the need to disable RC4 encryption and expressed concerns over other security failures by Microsoft, including recent attacks targeting its SharePoint software. He likened the situation to an arsonist profiting from selling firefighting services to their victims, emphasizing the challenges faced by government agencies, companies, and nonprofits like Ascension, which feel compelled to continue using Microsoft products despite experiencing security breaches.
Traced back to Bing
According to Wyden, Ascension informed his office that the ransomware attack originated from a web search conducted using Microsoft’s Bing. A contractor inadvertently clicked on a malicious link, leading to the download of malware that allowed hackers to establish a foothold within the system. Subsequently, the attackers deployed ransomware across thousands of Ascension computers.
Wyden underscored Microsoft’s dominant position in the operating systems market, which enables the company to dictate default settings and security features. He noted that most security settings are enabled automatically, and organizations often do not take the time to adjust them, leaving them vulnerable.
The ramifications of the attack on Ascension were severe, forcing the organization’s 140 hospitals across 19 states to revert to manual operations for weeks. Sensitive healthcare and financial data belonging to nearly 6 million individuals was compromised, resulting in dozens of hospitals having to turn away ambulances and cancel non-emergency appointments. A nurse at an Ascension hospital in Michigan described the situation as perilous for patients, citing delays in accessing electronic medical records that hindered critical medical procedures.
Patients in Texas, Illinois, and Tennessee have since initiated class action lawsuits against Ascension for the breach of sensitive health information during the cyberattack. Although the Black Basta ransomware gang has not publicly claimed responsibility for the attack, various sources have implicated them in the incident.
