Fast Facts

• Senator Ron Wyden has called on the FTC to investigate Microsoft after the 2024 Ascension Health ransomware attack.
• Attackers exploited a decades-old encryption flaw, RC4, still enabled by default in Microsoft systems.
• The breach crippled 140 hospitals, exposed nearly 6 million patients’ data, and forced weeks of manual operations.
• Microsoft says disabling RC4 outright could “break many customer systems,” planning a phased removal by 2026.
• The Black Basta ransomware gang is suspected, though never officially claimed responsibility.

When the Lifelines Go Dark

Picture a nurse in a bustling Detroit hospital, paper charts in hand, waiting hours for a scan result that could mean life or death. In May 2024, this was grim reality for staff at Ascension Health, one of America’s largest Catholic healthcare systems, after a ransomware attack brought their digital infrastructure to its knees. The fallout: ambulances rerouted, critical appointments canceled, and millions of patients’ sensitive data leaked online.

Old Weaknesses, New Catastrophes

Behind the chaos was a technical Achilles’ heel: a relic from the 1980s known as RC4 encryption. Despite years of warnings from cybersecurity experts - including Microsoft’s own - this outdated security method remained quietly active in many of the company’s products. Attackers used a technique called “Kerberoasting,” exploiting RC4’s weaknesses to snag powerful administrator passwords and move undetected through Ascension’s network. All it took was a contractor clicking a booby-trapped Bing search result for the digital dominoes to fall.

Senator Ron Wyden, a long-time tech watchdog, now accuses Microsoft of “gross cybersecurity negligence.” In his letter to the Federal Trade Commission, Wyden argues that Microsoft’s default settings - favoring convenience over security - needlessly expose hospitals, businesses, and government agencies to ransomware. “At this point, Microsoft has become like an arsonist selling firefighting services to their victims,” Wyden charged, highlighting the company’s dominance in enterprise IT and its lucrative cybersecurity add-ons business.

Déjà Vu in Cybersecurity

This isn’t Microsoft’s first time in the hot seat. In 2021, the Hafnium group exploited flaws in Microsoft Exchange, compromising tens of thousands of organizations worldwide. More recently, Microsoft’s SharePoint platform has faced its own string of high-profile breaches. The pattern is clear: when one company’s software underpins so much of the digital world, its vulnerabilities become everyone’s problem.

Wyden’s investigation found that Microsoft had planned to disable RC4 and issue clear warnings - but instead, posted a dense technical blog in a little-known corner of its website. Microsoft maintains that less than 0.1% of Active Directory traffic uses RC4, but admits that abruptly turning it off could “break” legacy systems. The company now promises to phase out RC4 by 2026 for new servers, but critics argue that’s too little, too late for those already hit.

Monopoly or Mission Critical?

Microsoft’s near-monopoly over enterprise operating systems leaves organizations like Ascension with few alternatives, even after a breach. As digital threats escalate, the debate intensifies: should tech giants be held to higher standards when their defaults can endanger millions? The Ascension attack is a stark reminder that in cybersecurity, yesterday’s shortcuts can fuel tomorrow’s disasters. Will the FTC step in before the next hospital goes dark?