Dive Brief:
- Sen. Ron Wyden, D-Ore., is urging the Federal Trade Commission to investigate Microsoft for allegedly enabling the massive cyberattack on St. Louis-based health system Ascension last year.
- In a letter sent to FTC Chairman Andrew Ferguson Wednesday, Wyden alleged the technology giant contributed to the attack by “delivering dangerous, insecure software” to the government and critical infrastructure industries, including the healthcare sector.
- The ransomware attack on Ascension, one of the nation’s largest nonprofit health systems, took critical technology systems offline for weeks, forced some facilities to divert ambulances and exposed the sensitive health data of 5.5 million people.
Dive Insight:
Microsoft has a “de facto monopoly” with its Windows operating system, given its use by most companies and government agencies, according to Wyden, an influential senator who has often called attention to the healthcare sector’s challenges with cybersecurity.
But he argues Windows’ default configuration is vulnerable to ransomware attacks, leaving customers exposed to an organization-wide cyberattack if a single worker clicks on the wrong link. Meanwhile, the technology giant “has utterly failed to stop or even slow down the scourge of ransomware enabled by its dangerous software,” Wyden said.
The major cyberattack on Ascension is one example of the potential damage, according to the letter. The health system told Wyden’s staff that a contractor using an Ascension laptop conducted a search on Microsoft’s Bing search engine in February 2024 and inadvertently clicked on a link that contained malware.
Hackers were then able to move throughout Ascension’s network and receive administrative privileges to user accounts managed by Microsoft’s Active Directory server, allowing them to spread ransomware to thousands of other computers.
The attackers were able to gain this access by using a technique called “Kerberoasting,” which exploits an insecure encryption technology from the 1980s called RC4, Wyden wrote.
Though Microsoft supports superior encryption technology, it’s not enabled by default in Windows, according to the letter. And though the technology giant has published a blog post on how organizations can protect themselves and promised to release a software update that will disable RC4, the update hasn’t come yet, Wyden wrote.
Meanwhile, Microsoft is benefitting by selling cybersecurity add-on services, he added.
“At this point, Microsoft has become like an arsonist selling firefighting services to their victims,” Wyden wrote. “And yet government agencies, companies, and nonprofits like Ascension have no choice but to continue to use the company’s software, even after they are hacked, because of Microsoft’s near-monopoly over enterprise IT.”
In a statement, Microsoft said it had already removed another encryption standard with similar problems to RC4. Additionally, new installations of Active Directory Domains using Windows Server 2025 will have RC4 disabled by default in the first quarter next year.
“RC4 is an old standard, and we discourage its use both in how we engineer our software and in our documentation to customers – which is why it makes up less than .1% of our traffic,” a spokesperson told Healthcare Dive. “However, disabling its use completely would break many customer systems. For this reason, we’re on a path to gradually reduce the extent to which customers can use it, while providing strong warnings against it and advice for using it in the safest ways possible. We have it on our roadmap to ultimately disable its use.”
An FTC spokesperson confirmed the agency had received the letter, but said they have no comment. Ascension didn’t respond to a request for comment by press time.
