U.S. Senator Ron Wyden has called on the Federal Trade Commission (FTC) to investigate Microsoft following its role in a significant ransomware attack on Ascension Hospital, resulting in the exposure of 5.6 million patient records.
In a letter dated September 10, 2025, Senator Wyden criticized Microsoft’s software, claiming it facilitated a major ransomware incident at one of the nation’s largest non-profit healthcare systems. He urged the FTC to examine what he described as “dangerous, insecure software” that compromised sensitive patient information.
An FTC representative confirmed receipt of Senator Wyden’s letter but refrained from commenting further on the matter.
The Vulnerability at the Heart of the Attack
Emerging details from Wyden’s office reveal that the 2024 cyber assault began when a contractor’s laptop fell victim to malware via a malicious link discovered through a Bing search. Due to insecure default settings in Microsoft software, hackers were able to gain privileged access to Ascension’s network.
Notably, the perpetrators exploited a vulnerability known as Kerberoasting, leveraging a legacy encryption method from the 1980s—RC4—that is still included in Microsoft’s default security settings. This oversight allowed them to seize control of the Active Directory server, effectively granting them master access to the network. The hackers then deployed ransomware across thousands of devices, ultimately leading to the theft of sensitive data affecting 5.6 million patients.
It’s important to note that federal agencies including the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the NSA had previously issued warnings about these specific vulnerabilities.
Ongoing Patterns of Security Lapses
This incident is not an isolated case in Microsoft’s history of security challenges. Senator Wyden pointed out past incidents, such as the 2023 hack targeting U.S. government agencies, which he had requested an investigation into. A subsequent review concluded that Microsoft’s security protocols were deficient and in need of an overhaul.
Furthermore, Wyden’s letter emphasized Microsoft’s slow response to known threats. Despite prior warnings to the company’s officials regarding the Kerberoasting vulnerability in July 2024, Microsoft only released information in October and has yet to provide a promised software update to mitigate the risk.
Wyden expressed concern over Microsoft’s market position, suggesting that the company has little incentive to resolve security issues, as many businesses and governmental bodies rely on its products. He articulated that the current security practices pose a considerable risk to national security, likening Microsoft to “an arsonist selling firefighting services to their victims.” This metaphor underscores the urgency for accountability and reform within Microsoft’s cybersecurity approach.
In analyzing the methods used in this attack, it appears that adversary tactics such as initial access through phishing, privilege escalation via Kerberoasting, and lateral movement within the network were instrumental. Understanding these tactics is crucial for business owners to develop more robust cybersecurity defenses and prepare for potential threats.
