US Senator Ron Wyden says glaring cybersecurity flaws by Microsoft Corp enabled a ransomware attack on a US hospital system and has called on the Federal Trade Commission to investigate.

In a letter sent Wednesday to FTC Chair Andrew Ferguson and reviewed by Bloomberg News, the Oregon Democrat accused Microsoft of "gross cybersecurity negligence”, which he said had resulted in ransomware attacks against US critical infrastructure. The senator cited the case of the 2024 breach at Ascension, one of the nation’s largest nonprofit health systems. The intrusion shut down computers at many of Ascension’s hospitals, leading to suspended surgeries and the theft of sensitive data on more than 5 million patients.

Wyden said an investigation by his office found that the Ascension hack began after a contractor carried out a search using Microsoft’s Bing search engine and was served a malicious link, which led to the contractor inadvertently downloading malware. That allowed hackers access to Ascension’s computer networks.

According to Wyden, the attackers then gained access to privileged accounts by exploiting an insecure encryption technology called RC4, which is supported by default on Windows computers. The hacking method is called Kerberoasting, which the company described as a type of cyberattack in which intruders aim to gather passwords by targeting an authentication protocol called Kerberos.  

Microsoft’s use of the "ancient, insecure” encryption technology enables hackers to crack the passwords of privileged accounts, according to Wyden.

A Microsoft spokesperson, David Cuddy, said the company engaged with Wyden’s office "and will continue to listen and answer questions from them or others in government.” Cuddy said RC4 is an "old standard,” that the company discourages its use and that as a result it makes up less than 1/10th of 1% of its traffic.

"We’re on a path to gradually reduce the extent to which customers can use it, while providing strong warnings against it and advice for using it in the safest ways possible,” Cuddy said of RC4. "We have it on our road map to ultimately disable its use.”

Cuddy added that Microsoft has already removed another "problematic” standard and that starting in 2026 new installations of Active Directory, Microsoft’s credential management system, will have RC4 disabled by default. Microsoft hasn’t completely disabled use of RC4 because such a move would disrupt many customer systems, Cuddy said. 

An FTC spokesperson, Juliana Gruenwald Henderson, declined to comment on Wyden’s letter. Ascension didn’t respond to calls and emails seeking comment.

"Because of dangerous software engineering decisions by Microsoft, which the company has largely hidden from its corporate and government customers, a single individual at a hospital or other organization clicking on the wrong link can quickly result in an organization-wide ransomware infection,” Wyden wrote. "Microsoft has utterly failed to stop or even slow down the scourge of ransomware enabled by its dangerous software.”

Wyden said he first raised the Kerberoasting issue with senior Microsoft officials in July 2024, which prompted the company to release a blog post that October with recommendations for organisations on how to protect against the hacking technique. The company said at the time that it was working on an update to disable RC4 encryption. That has not yet been released.

As a result, it’s likely that most companies, government agencies, and nonprofits that are Microsoft customers remain vulnerable to the hacking technique, according to Wyden.

The senator added that without action from the FTC, "Microsoft’s culture of negligent cybersecurity, combined with its de facto monopolisation of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable.”

Wyden has been a regular critic of Microsoft in recent years amid a series of alleged security lapses. In 2024, a US government report said an "inadequate” security culture was one reason that suspected Chinese hackers were able to exploit flaws in the company’s technology to steal emails from US officials. In response, the company vowed to embark on an ambitious security overhaul.

In July, Microsoft said a suspected Chinese government-backed cyberattack exploited vulnerabilities in Microsoft’s SharePoint servers to breach more than 400 organisations internationally, including the US National Nuclear Security Administration, the division responsible for designing and maintaining the country’s nuclear weapons. – Bloomberg