Senator Flags Microsoft’s Role in the Ascension Ransomware Hack

Remember that 2024 ransomware attack against Ascension, one of the largest U.S. nonprofit healthcare systems, which compromised the sensitive data of 5.6 million patients? Sen. Ron Wyden (D-Ore.) wants the U.S. government to hold Microsoft responsible “for contributing to ransomware attacks against critical U.S. infrastructure” like Ascension. 

In a letter sent to Federal Trade Commission (FTC) Chairman Andrew Ferguson on Wednesday, Wyden said Microsoft should be investigated for “dangerously insecure default settings” on its software that enabled the threat actor in the attack to gain privileged access to Ascension’s network.

“I urge the FTC to investigate Microsoft and hold the company responsible for the serious harm it has caused by delivering dangerous, insecure software to the U.S. government and to critical infrastructure entities, such as those in the U.S. health care sector,” Wyden said. 

The Ascension hack started when a contractor clicked on a malicious link after kicking off a web search from Microsoft’s Bing search engine. From there, the contractor’s laptop was infected with malware. Threat actors were then able to move laterally across Ascension’s network and gain administrative privileges to accounts on the Microsoft Active Directory (AD) server, where user accounts are managed. They used this access to deploy ransomware to thousands of computers across the organization. 

The threat actors specifically used Kerberoasting to gain access to privileged accounts on Ascension’s Active Directory server. Kerberoasting is a technique that targets insecure encryption technology that is decades old called RC4. RC4 is still supported by Microsoft’s software in its default configuration. In a 2024 post about mitigations for Kerberoasting attacks, Microsoft said “while AD will not try to use RC4 by default, RC4 is currently enabled by default, meaning a cyberthreat actor can attempt to request tickets encrypted using RC4.”

“Without timely action, Microsoft’s culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable."

“RC4 is more susceptible to the cyberattack because it uses no salt or iterated hash when converting a password to an encryption key, allowing the cyberthreat actor to guess more passwords quickly,” according to Microsoft. “However, other encryption algorithms are still vulnerable when weak passwords are used.”

Microsoft in that 2024 post said that RC4 will be deprecated, and that it intended to disable it by default in a future update to Windows 11 24H2 and Windows Server 2025. However, Wyden said it has still not released that update. 

“In its default configuration, Microsoft Windows is incredibly vulnerable to ransomware infections,” according to Wyden. “Because of dangerous software engineering decisions by Microsoft, which the company has largely hidden from its corporate and government customers, a single individual at a hospital or other organization clicking on the wrong link can quickly result in an organization-wide ransomware infection.”

The letter from Wyden is the latest call to hold companies that design and manufacture tech products responsible for security weaknesses in their products, which threat actors target in their attacks. Microsoft in particular came under the spotlight in a 2024 report from the Cyber Safety Review Board (RIP) for its security lapses behind the 2023 Microsoft Exchange Online intrusion.

“Without timely action, Microsoft’s culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable,” said Wyden.