Oregon Democratic Senator Ron Wyden has written to Federal Trade Commission (FTC) Chairman Andrew Ferguson, publicly criticizing Microsoft Corporation (MSFT.US) for apparent cybersecurity vulnerabilities that led to ransomware attacks on US hospital systems, and has called for a federal investigation.

The Oregon Democrat accused Microsoft of "serious cybersecurity negligence," claiming such negligence has resulted in ransomware attacks targeting America's critical infrastructure. In his letter, he cited the 2024 Ascension Health system incident as an example: as one of the largest nonprofit health systems in the United States, Ascension was forced to shut down computer systems at multiple hospitals following a cyberattack, causing surgical delays and exposing sensitive data of over 5 million patients.

Wyden's office investigation revealed that the attack began when Bing returned a malicious link to a contractor, who clicked on it and became compromised. Hackers then infiltrated Ascension's network and subsequently exploited RC4 insecure encryption technology, which is supported by default in Windows systems, using Kerberoasting attack methods to crack privileged account passwords and ultimately achieve system infiltration.

Wyden emphasized that Microsoft has long used "ancient and insecure" RC4 encryption technology, enabling hackers to easily crack account passwords, while the company has concealed this dangerous decision from enterprise and government customers. He pointed out that this negligence has led to situations where "a single employee clicking a link can trigger organization-wide ransomware infections," with Microsoft not only failing to effectively prevent attacks but allowing "ransomware proliferation caused by dangerous software."

Although Microsoft spokesperson David Cardi responded that RC4 is an "old standard" accounting for less than 0.1% of its traffic, and that the company is gradually reducing customer usage with plans to disable the technology by default in newly installed Active Directory systems starting in 2026, Wyden believes the vast majority of Microsoft customers remain exposed to attack risks.

Notably, this is not Wyden's first criticism of Microsoft. In July 2024, he had already questioned Microsoft executives about Kerberos security issues, prompting the company to publish a technical blog in October that year to guide organizations in preventing attacks and announce the development of an update to disable RC4. However, this update has not been officially released to date, meaning government agencies, nonprofit organizations, and other customers likely remain vulnerable to hacker techniques.

Wyden warned that if the Federal Trade Commission does not take action, Microsoft's "corporate culture of ignoring cybersecurity" combined with its "de facto monopoly position in the operating system market" will pose a national security threat, making more cyberattacks inevitable.

The Federal Trade Commission has not commented on the matter, and Ascension has not responded to interview requests.