US Senator Ron Wyden has officially requested the Federal Trade Commission (FTC) to launch an investigation into Microsoft. In a letter to FTC Chairman Andrew N. Ferguson, Wyden states that Microsoft has shown gross negligence in the area of cybersecurity for years.
According to him, this has led to large-scale ransomware attacks on critical infrastructure, including the US healthcare system. In his letter, Wyden refers to figures from the Director of National Intelligence (DNI): in 2024, there were more than 5,000 ransomware attacks worldwide, an increase of 15 percent compared to 2023 and more than 100 percent compared to 2022.
Half of all victims are believed to be located in the US. According to Wyden, Microsoft plays a central role in this. After all, Windows is the dominant operating system in both business and government. Because organizations often use the default settings in practice, Microsoft’s choices for configuration and security would have a direct impact on resilience against cyberattacks.
As a concrete example, Wyden cites the ransomware attack on Ascension, one of the largest non-profit healthcare systems in the US. In February 2024, an external employee clicked on a malicious link in Microsoft’s Edge browser, which uses Bing as its default search engine.
Thousands of infected systems
As a result, malware spread through the network, hackers gained access to Microsoft Active Directory, and acquired administrator rights. Ultimately, thousands of systems were infected and the data of nearly 5.6 million patients was stolen.
The attack used Kerberoasting, a technique that exploits the RC4 encryption protocol in Windows, which is still enabled. Despite years of warnings from the security sector, RC4 is not disabled by default.
Microsoft does recommend long passwords, but does not make them mandatory. Wyden also criticizes the way Microsoft communicated. The warning was tucked away in a technical blog on a Friday afternoon, without a clear explanation to administrators or IT managers.
Microsoft responded via Reuters that RC4 now accounts for less than 0.1 percent of traffic and that completely disabling it would disrupt too many existing customer systems. The company further states that RC4 will be disabled by default in certain Windows products starting in the first quarter of 2026 and that additional measures will be taken for existing installations.
Hacks by Chinese actors
Wyden points out that the Ascension incident is not an isolated case. In 2023 and 2024, there were several major hacks in which Chinese actors exploited vulnerabilities in Microsoft software. At the time, the Cyber Safety Review Board concluded that Microsoft’s security culture was inadequate and needed to be thoroughly reformed.
The senator argues that Microsoft’s negligence, combined with its quasi-monopoly position in the enterprise market, poses a structural risk to national security. He asks the FTC to investigate whether Microsoft is guilty of unfair and deceptive trade practices and to hold the company accountable for the damage. Reuters news agency reports that the FTC has confirmed receipt of the letter but has not provided any further substantive response.