Senator Wyden Pushes FTC Investigation into Microsoft Over Ransomware Vulnerabilities

U.S. Senator Ron Wyden has formally called on the Federal Trade Commission (FTC) to investigate Microsoft for what he describes as “gross cybersecurity negligence” following a ransomware attack on the healthcare provider Ascension. The senator’s concern centers on how Microsoft’s default software configurations allegedly exposed critical infrastructure networks to attack.

The Trigger: The Ascension Breach and Technical Vulnerabilities

• Incident Overview: Last year, Ascension, a major healthcare system, was hit by a ransomware attack carried out by the group known as Black Basta, affecting nearly 5.6 million individuals. The breach involved data theft, as well as disruption to electronic health records.
• Initial Vector: A contractor working for Ascension clicked on a malicious link discovered via Microsoft’s Bing search engine. This click set off chain reactions that allowed attackers to exploit insecure defaults in Microsoft software.
• Default Software Weakness: According to the Senator’s letter, Microsoft’s software includes dangerously insecure default settings. One key issue is support for RC4 encryption within the Kerberos authentication protocol. RC4 is a legacy cipher deemed insecure by cryptographic research. Though deprecated in many modern systems, in Microsoft’s case it remained enabled by default. This allowed attackers to use a technique known as Kerberoasting to extract service account credentials from Active Directory.

Technical Specifics: Kerberoasting, Default Ciphers, and Exploitable Weaknesses

• Kerberoasting Explained: In an Active Directory environment, service accounts with Service Principal Names (SPNs) request Kerberos tickets. If those tickets are encrypted using weak ciphers like RC4, an attacker can obtain the ticket, then perform offline attacks (e.g., brute force or cryptanalysis) to recover the service account’s plaintext credentials or secrets. In this case, Wyden’s office claims the breach utilized these RC4-protected tickets.
• RC4 Matters: RC4 (Rivest Cipher 4), a stream cipher developed in the late 1980s, has been known for decades to have vulnerabilities—biases in its keystream and susceptibility to plaintext recovery. Standards bodies (e.g., IETF) have prohibited its use in secure channels, especially TLS, since the mid-2010s because of those flaws. Microsoft still included support for RC4 in Kerberos by default, which Wyden states “needlessly exposes” customers when weak passwords are in use.
• Password Strength & Service Accounts: The senator also highlights that Microsoft does not enforce strong password policies (e.g., 14-character minimums, randomly generated passwords) for service accounts, nor does it require the use of stronger encryption ciphers (AES-128 or AES-256) for Kerberos service ticket encryption when SPNs are involved. These weak policies, combined with weak default encryption, magnify the risk of credential compromise.
• Mitigations Microsoft Recommends: In response to Wyden’s letter, Microsoft has published guidance and said it plans to phase out RC4 usage. It also outlined steps such as use of Group Managed Service Accounts (gMSA) or Delegated Managed Service Accounts (dMSA), auditing of accounts with SPNs, updating ticket encryption algorithms, and setting strong, randomly generated passwords for privileged accounts. Microsoft further disclosed that new Active Directory domains using Windows Server 2025 will have RC4 disabled by default starting in Q1 of 2026.

Regulatory and Policy Allegations

• Senator Wyden’s critique goes beyond a singular breach. In his four-page letter to FTC Chairman Andrew Ferguson, he frames Microsoft as having a systemic problem: a “culture of negligent cybersecurity” augmented by its near-monopoly over enterprise operating systems. Wyden uses sharp metaphorical language, calling Microsoft akin to “an arsonist selling firefighting services to their victims.”
• The letter asserts that Microsoft’s default configurations (i.e., enabling legacy, insecure encryption by default, lenient password policies) have over time weakened baseline protections across many organizations—particularly those in healthcare and critical infrastructure. The suggestion is that negligence in defaults and configuration is not just an IT issue but a national security concern.

Microsoft’s Response

• Acknowledgement that RC4 is antiquated, and that Microsoft discourages its usage "in how we engineer our software and in our documentation to customers." The company claims that less than 0.1% of its traffic still uses RC4. However, Microsoft also expresses concern that fully disabling RC4 immediately could cause compatibility issues with existing environments.
• Microsoft has committed to gradually eliminating RC4 support, while continuing to provide strong warnings and guidance to customers. Additionally, Microsoft notes that new AD domains in Windows Server 2025 will, by default, disable RC4 encryption.

Security Risk Assessment

• Attack Surface and Cascading Consequences: When software vendors allow weak encryption by default or weak password policies, they provide an “easy pick” to attackers. Even system administrators who are security-aware may inherit configurations that permit RC4 or allow weak credentials, particularly in environments where continuity and legacy compatibility are heavily valued.
• Vulnerability Exploits: Kerberoasting attacks are not speculative; they are known, documented, and have been used successfully in multiple breach incidents. Once service account credentials are compromised, attackers can move laterally, escalate privileges, and access sensitive assets. In healthcare settings, that can include personal health data, IoT medical devices, and critical infrastructure.
• Regulatory and Trust Implications: As Microsoft is deeply embedded in many critical infrastructure and enterprise environments, failures in configuring security by default automatically shift the burden of defense to organizations that may lack expertise, resources, or visibility to detect such weaknesses. The reputational damage and liability risk are substantial.

Regulatory Implications

• The allegation by Senator Wyden raises important questions about product liability, default secure settings, and vendor responsibility. To what extent should software vendors be held accountable for insecure defaults?
• Regulatory tools like the FTC’s authority to investigate “unfair or deceptive acts or practices” may be applied to software security neglect. If Microsoft is found negligent, this could set a precedent for how default configurations, encryption standards, and password requirements are regulated in widely used software.
• There is also a broader normative issue: secure-by-default vs. secure-by-option. Wyden’s position implies that defaults should err on the side of security, with higher password strength, deprecation of weak cryptographic algorithms, and safe configurations baked in—not as optional toggles.
• Senator Wyden’s letter to the FTC highlights a confluence of cybersecurity, regulation, and corporate accountability. The Ascension breach is more than a single incident; it serves as a case study in how widely used software defaults, weak encryption standards, and legacy compatibility can combine to precipitate large scale attacks upon critical infrastructure.

Senator Wyden’s letter to the FTC highlights a confluence of cybersecurity, regulation, and corporate accountability. The Ascension breach is more than a single incident; it serves as a case study in how widely used software defaults, weak encryption standards, and legacy compatibility can combine to precipitate large scale attacks upon critical infrastructure.

As Microsoft begins to phase out insecure ciphers and publish guidance, the central question remains whether regulatory mechanisms will demand more rapid change, enforce better defaults, and hold vendors responsible for enabling risk. This matter merits close scrutiny—not only from security researchers, but from regulators, enterprise customers, and the public at large.