US Senator Ron Wyden has formally requested the Federal Trade Commission investigate Microsoft for what he calls "gross cybersecurity negligence" after the company's continued support of 1980s-era RC4 encryption enabled ransomware attacks on critical infrastructure. The senator's letter to FTC Chairman Andrew Ferguson specifically cites the May 2024 Ascension Health breach that compromised 5.6 million patient records, arguing that Microsoft's default security configurations and decade-long failure to criticize vulnerable encryption standards have created systemic risks for healthcare organizations dependent on Windows systems.
On September 10, 2025, Senator Wyden (D-Oregon) sent a four-page letter to the FTC requesting an investigation into Microsoft's security practices, particularly its continued default support for RC4 encryption in Windows despite federal warnings against the technology for over a decade. The letter details how this vulnerability enabled the Ascension Health ransomware attack, which began when a contractor clicked a malicious link from Microsoft's Bing search engine.
The attack leveraged a technique called Kerberoasting, which exploits RC4 encryption to crack passwords of privileged accounts in Microsoft's Active Directory. Once attackers gained administrative access, they deployed ransomware across thousands of Ascension's computers, disrupting healthcare operations and stealing protected health information (PHI). Wyden's office learned these details directly from Ascension during their investigation.
Healthcare organizations rely on Microsoft's Windows infrastructure for electronic health records, patient monitoring systems, and administrative functions. The senator argues that Microsoft's market dominance creates a situation where healthcare providers have "no choice" but to use potentially vulnerable software, even after experiencing breaches.
The Kerberoasting vulnerability is concerning because it allows attackers who compromise a single machine to potentially gain administrative control over an entire network. For healthcare facilities operating 24/7 with life-critical systems, such vulnerabilities can directly impact patient care when ransomware forces systems offline.
This isn't Microsoft's first cybersecurity controversy. The Cyber Safety Review Board criticized the company in 2024 for "avoidable errors" that led to Chinese hackers accessing US government emails. Wyden's letter frames Microsoft's approach as building a profitable cybersecurity business by selling solutions to problems created by its own products' vulnerabilities.
The senator's comparison of Microsoft to "an arsonist selling firefighting services to their victims" points to a broader industry concern about software vendors monetizing security features that critics argue should be default protections. With Microsoft's security division generating over $20 billion annually, questions arise about incentive structures in enterprise software security.
Senator Ron Wyden stated, "Without timely action, Microsoft's culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable."
Microsoft spokesperson said, "RC4 is an old standard, and we discourage its use both in how we engineer our software and in our documentation to customers – which is why it makes up less than .1% of our traffic. However, disabling its use completely would break many customer systems."
The company added, "For this reason, we're on a path to gradually reduce the extent to which customers can use it, while providing strong warnings against it and advice for using it in the safest ways possible. We have it on our roadmap to ultimately disable its use."
Microsoft states that starting Q1 2026, any new installations of Active Directory Domains using Windows Server 2025 will have RC4 disabled by default. The company also plans "additional mitigations for existing in-market deployments" but must balance security improvements with maintaining compatibility for critical customer services.
The FTC acknowledged receiving Wyden's letter but declined to comment on whether it would open an investigation. Healthcare organizations aren't waiting for regulatory action, many are manually disabling RC4, implementing longer password requirements, and conducting security audits of their Microsoft deployments.
It's an attack technique that exploits weak RC4 encryption in Microsoft's Kerberos authentication to steal and crack service account passwords, giving attackers administrative access to networks.
Investigate Microsoft for "gross cybersecurity negligence" and hold the company responsible for delivering insecure software to government and critical infrastructure entities.
Microsoft published a technical blog post in October 2024 and promised a security update to disable RC4, but hasn't delivered it 11 months later.