US Senator Ron Wyden has formally requested that the Federal Trade Commission investigate Microsoft for what he characterized as “gross cybersecurity negligence” that had enabled widespread ransomware attacks against critical infrastructure, including healthcare organizations.
In a four-page letter to FTC Chair Andrew Ferguson, the Oregon Democrat documented how Microsoft’s software engineering decisions had enabled ransomware attacks.
“Microsoft has become like an arsonist selling firefighting services to their victims,” Wyden wrote in the letter, arguing that the company had built a profitable cybersecurity business while simultaneously leaving its core products vulnerable to attack.
The letter presented a detailed case study of the February 2024 ransomware attack against Ascension Health that compromised 5.6 million patient records, demonstrating how Microsoft’s default security configurations enabled hackers to move from a single infected laptop to an organization-wide breach.
When one click brought down a hospital system
The Ascension attack began when a contractor using an Ascension laptop clicked on a malicious link from a Microsoft Bing search result. The malware spread laterally through Ascension’s network, eventually compromising administrative accounts on the organization’s Microsoft Active Directory server.
The hackers exploited a technique called Kerberoasting, which leveraged Microsoft’s continued default support for RC4 encryption — a technology from the 1980s that federal agencies had warned against for more than a decade.
“That’s exactly what played out in the Ascension case, where one weak default snowballed into a ransomware disaster,” said Sanchit Vir Gogia, chief analyst and CEO at Greyhound Research.
“Because of dangerous software engineering decisions by Microsoft, which the company has largely hidden from its corporate and government customers, a single individual at a hospital or other organization clicking on the wrong link can quickly result in an organization-wide ransomware infection,” Wyden wrote in the letter.
The technical reality behind the failures
Security experts have long criticized Microsoft’s reliance on outdated encryption standards. “RC4 should have been retired long ago, yet it still lurks in Active Directory and continues to enable attacks like Kerberoasting,” Gogia noted.
Microsoft’s justification centered on backward compatibility concerns. “Microsoft’s line has been that switching it off overnight could break older systems,” Gogia explained. “That may be true, but after more than a decade of warnings, the argument has become increasingly difficult to sustain.”
Wyden detailed how “Microsoft’s continued support for the ancient, insecure RC4 encryption technology needlessly exposes its customers to ransomware and other cyber threats by enabling hackers that have gained access to any computer on a corporate network to crack the passwords of privileged accounts used by administrators.”
The $20 billion security business
Microsoft’s security division now generates more than $20 billion annually, much of it from features that addressed gaps in the company’s core products. “Features such as advanced logging, which many assumed were part of the core product, sat behind premium licenses until the Exchange Online hack forced Microsoft to expand access,” Gogia observed.
Wyden argued that “instead of delivering secure software to its customers, Microsoft has built a multibillion-dollar secondary business selling cybersecurity add-on services to those organizations that can afford it.”
This created what enterprise customers described as a double-billing problem. “That’s why CIOs describe the feeling as being billed twice — once for the platform, and again for the peace of mind,” Gogia said.
Wyden captured this dynamic with his pointed criticism: “At this point, Microsoft has become like an arsonist selling firefighting services to their victims.”
Broken promises and regulatory pressure
When Wyden’s staff briefed senior Microsoft officials about the Kerberoasting threat in July 2024, the letter added, they “specifically requested that Microsoft publish and publicize clear guidance in plain English so that senior executives would understand this serious, avoidable cyber risk.”
Microsoft’s response fell short, publishing guidance as “a highly technical blog post on an obscure area of the company’s website on a Friday afternoon.” The company also promised to release a software update disabling RC4 encryption, but eleven months later, “Microsoft has yet to release that promised security update,” Wyden noted.
The regulatory implications remained uncertain. “A full-blown FTC case against Microsoft on the basis of weak defaults still feels unlikely,” Gogia said. However, he noted that “the Cyber Safety Review Board’s report from last year complicates the picture. It concluded Microsoft’s security culture was inadequate and accused the company of avoidable mistakes in a government email breach.”
What CISOs are doing now
Enterprise security leaders weren’t waiting for Microsoft or regulators to act. “CISOs are already acting as though Wyden’s points are proven,” Gogia said. “They’re disabling RC4 manually, mandating longer passwords for service accounts, and pushing multi-factor authentication across the board.”
Organizations were increasingly using procurement contracts as leverage. “Contracts are starting to include clauses demanding configuration reports and baseline protections,” Gogia noted. “In some cases, workloads are being threatened with migration unless these terms are met.”
Industry-wide implications
The implications of Wyden’s investigation could reshape how the entire software industry approaches security. “If Wyden’s concerns gain ground, the implications stretch beyond Microsoft,” Gogia said. “Treating insecure defaults as negligence would change how software is built and sold.”
Wyden concluded with a stark warning: “Microsoft has utterly failed to stop or even slow down the scourge of ransomware enabled by its dangerous software,” and warned that “Microsoft’s culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable.”
As Gogia summarized: “The Ascension breach has become a rallying point: one overlooked setting can take down an entire industry, so defaults are no longer trusted.”
Microsoft did not immediately respond to a request for comment.
No Responses