US senator Ron Wyden has written a letter to the FTC requesting that the organisation investigate Microsoft for what he calls “gross cybersecurity negligence.” His complaint is primarily related to a form of encryption still supported by the company’s Windows operating system, which the senator’s office believes is vulnerable to ransomware attacks.
In the letter [PDF warning], Senator Wyden reveals that an investigation his office conducted into a ransomware breach of healthcare provide Ascension last year found that support of the RC4 encryption cipher was a direct contributor to the attack (via Ars Technica).
“Because of dangerous software engineering decisions by Microsoft, which the company has largely hidden from its corporate and government customers, a single individual at a hospital or other organization clicking on the wrong link can quickly result in an organization-wide ransomware infection,” said Wyden.
“Microsoft has utterly failed to stop or even slow down the scourge of ransomware enabled by its dangerous software.”
RC4, or Rivest Cipher 4, was developed in 1987 by mathematician and cryptographer Ron Rivest, and was considered a protected method of encryption until 1994, when it was compromised as a result of a leaked technical description. Despite this, RC4 was widely used in common encryption protocols until around a decade ago, and is still used by Microsoft to secure Active Directory, a Windows component used by system administrators to configure user accounts.
While Windows will use AES encryption by default, the senator’s office discovered that Windows servers will still respond to RC4-based authentication requests, which potentially opens them up to “Kerberoasting.” This is a technique in which administrative privileges are gained via exploiting encryption on one affected machine in order to install ransomware on others.
In the case of Ascension, the senator claims that a contractor clicking on a malicious link led to hackers “moving laterally” within its server network, exploiting the weak encryption in order to push ransomware to thousands of other other computers in the organisation and ultimately stealing the sensitive data of 5.6 million patients.
While the senator says that his office contacted Microsoft about the vulnerability, and that the company eventually posted a blog post with actions that organisations could take to protect against it, a promised security update to fix the issue is yet to arrive.
“The Ascension hack illustrates how it is Microsoft’s customers, and, ultimately, the public, who bear the cost of Microsoft’s dangerous software engineering practices and the company’s refusal to inform its customers about the pressing need to adopt important cybersecurity safeguards,” the senator continues.
“There is one company benefiting from this status quo: Microsoft itself. Instead of delivering secure software to its customers, Microsoft has built a multibillion dollar secondary business selling cybersecurity add-on services to those organizations that can afford it. At this point, Microsoft has become like an arsonist selling firefighting services to their victims”
The senator ends his letter by urging the FTC to investigate Microsoft, and hold the company responsible for what the senator claims is the “serious harm it has caused by delivering dangerous, insecure software to the U.S. government and to critical infrastructure entities, such as those in the U.S. health care sector.”
Microsoft has since released a statement to multiple outlets, including Ars Technica, directly addressing the senator’s claims:
“RC4 is an old standard, and we discourage its use both in how we engineer our software and in our documentation to customers – which is why it makes up less than .1% of our traffic. However, disabling its use completely would break many customer systems,” the company said.
“For this reason, we’re on a path to gradually reduce the extent to which customers can use it, while providing strong warnings against it and advice for using it in the safest ways possible. We have it on our roadmap to ultimately disable its use. We’ve engaged with The Senator’s office on this issue and will continue to listen and answer questions from them or others in government.”
Microsoft also says that in the first quarter of 2026, “Any new installations of Active Directory Domains using Windows Server 2025 will have RC4 disabled by default, meaning any new domain will inherently be protected against attacks relying on RC4 weaknesses. We plan to include additional mitigations for existing in-market deployments with considerations for compatibility and continuity of critical customer services.”
Best gaming PC 2025
