Senator Wyden calls for FTC probe into Microsoft's role in ransomware attacks on U.S. critical infrastructure
Summary
Hide ▲
Show ▼
U.S. Senator Ron Wyden has urged the Federal Trade Commission (FTC) to investigate Microsoft for alleged cybersecurity negligence that facilitated ransomware attacks on U.S. critical infrastructure, including healthcare networks. Wyden's call follows a ransomware attack on Ascension, a healthcare system, which resulted in the theft of personal and medical information of nearly 5.6 million individuals. The attack, attributed to the Black Basta ransomware group, exploited insecure default settings in Microsoft software and the RC4 encryption algorithm. The breach occurred when a contractor clicked on a malicious link in Microsoft's Bing search engine, leading to malware infection and subsequent elevated access to Ascension's network. Wyden's office highlighted Microsoft's continued support for RC4, an outdated and insecure encryption technology, as a significant vulnerability. Microsoft has acknowledged the issues and plans to deprecate RC4 support in future updates to Windows 11 and Windows Server 2025. The company also outlined mitigations to protect against Kerberoasting attacks, which target the Kerberos authentication protocol. Wyden's office urged Microsoft to warn customers about the dangers of using RC4 instead of AES 128/256, and Microsoft responded with a technical blog post in October 2024, which was criticized for not clearly conveying the warning to decision-makers. Microsoft is actively working to gradually remove RC4 and is providing advice for using the algorithm in the safest ways possible.
Timeline
-
11.09.2025 17:51 📰 2 articles · ⏱ 2d ago
Senator Wyden calls for FTC probe into Microsoft's role in ransomware attacks on U.S. critical infrastructure
U.S. Senator Ron Wyden has urged the FTC to investigate Microsoft for alleged cybersecurity negligence that facilitated ransomware attacks on U.S. critical infrastructure, including healthcare networks. The call follows a ransomware attack on Ascension, a healthcare system, which resulted in the theft of personal and medical information of nearly 5.6 million individuals. The attack, attributed to the Black Basta ransomware group, exploited insecure default settings in Microsoft software and the RC4 encryption algorithm. The breach occurred when a contractor clicked on a malicious link in Microsoft's Bing search engine, leading to malware infection and subsequent elevated access to Ascension's network. Wyden's office highlighted Microsoft's continued support for RC4, an outdated and insecure encryption technology, as a significant vulnerability. Wyden's office urged Microsoft to warn customers about the dangers of using RC4 instead of AES 128/256. Microsoft responded with a technical blog post in October 2024, which was criticized for not clearly conveying the warning to decision-makers. Microsoft is actively working to gradually remove RC4 and is providing advice for using the algorithm in the safest ways possible. Wyden explicitly frames Microsoft’s practices as a serious national security risk, expressing certainty that more high-impact incidents will occur unless the FTC intervenes.
Show sources
- Senator Wyden Urges FTC to Probe Microsoft for Ransomware-Linked Cybersecurity Negligence — thehackernews.com — 11.09.2025 17:51
- U.S. Senator accuses Microsoft of “gross cybersecurity negligence” — www.bleepingcomputer.com — 11.09.2025 22:23
Information Snippets
-
U.S. Senator Ron Wyden has called for an FTC investigation into Microsoft's cybersecurity practices following ransomware attacks on critical infrastructure.
First reported: 11.09.2025 17:51📰 2 sources, 2 articlesShow sources
- Senator Wyden Urges FTC to Probe Microsoft for Ransomware-Linked Cybersecurity Negligence — thehackernews.com — 11.09.2025 17:51
- U.S. Senator accuses Microsoft of “gross cybersecurity negligence” — www.bleepingcomputer.com — 11.09.2025 22:23
-
The ransomware attack on Ascension, a healthcare system, resulted in the theft of personal and medical information of nearly 5.6 million individuals.
First reported: 11.09.2025 17:51📰 2 sources, 2 articlesShow sources
- Senator Wyden Urges FTC to Probe Microsoft for Ransomware-Linked Cybersecurity Negligence — thehackernews.com — 11.09.2025 17:51
- U.S. Senator accuses Microsoft of “gross cybersecurity negligence” — www.bleepingcomputer.com — 11.09.2025 22:23
-
The attack was attributed to the Black Basta ransomware group, which exploited insecure default settings in Microsoft software and the RC4 encryption algorithm.
First reported: 11.09.2025 17:51📰 2 sources, 2 articlesShow sources
- Senator Wyden Urges FTC to Probe Microsoft for Ransomware-Linked Cybersecurity Negligence — thehackernews.com — 11.09.2025 17:51
- U.S. Senator accuses Microsoft of “gross cybersecurity negligence” — www.bleepingcomputer.com — 11.09.2025 22:23
-
The breach occurred when a contractor clicked on a malicious link in Microsoft's Bing search engine, leading to malware infection and elevated access to Ascension's network.
First reported: 11.09.2025 17:51📰 2 sources, 2 articlesShow sources
- Senator Wyden Urges FTC to Probe Microsoft for Ransomware-Linked Cybersecurity Negligence — thehackernews.com — 11.09.2025 17:51
- U.S. Senator accuses Microsoft of “gross cybersecurity negligence” — www.bleepingcomputer.com — 11.09.2025 22:23
-
Microsoft's continued support for RC4, an outdated and insecure encryption technology, was highlighted as a significant vulnerability.
First reported: 11.09.2025 17:51📰 2 sources, 2 articlesShow sources
- Senator Wyden Urges FTC to Probe Microsoft for Ransomware-Linked Cybersecurity Negligence — thehackernews.com — 11.09.2025 17:51
- U.S. Senator accuses Microsoft of “gross cybersecurity negligence” — www.bleepingcomputer.com — 11.09.2025 22:23
-
Microsoft plans to deprecate RC4 support in future updates to Windows 11 and Windows Server 2025.
First reported: 11.09.2025 17:51📰 2 sources, 2 articlesShow sources
- Senator Wyden Urges FTC to Probe Microsoft for Ransomware-Linked Cybersecurity Negligence — thehackernews.com — 11.09.2025 17:51
- U.S. Senator accuses Microsoft of “gross cybersecurity negligence” — www.bleepingcomputer.com — 11.09.2025 22:23
-
Microsoft has outlined mitigations to protect against Kerberoasting attacks, which target the Kerberos authentication protocol.
First reported: 11.09.2025 17:51📰 1 source, 1 articleShow sources
- Senator Wyden Urges FTC to Probe Microsoft for Ransomware-Linked Cybersecurity Negligence — thehackernews.com — 11.09.2025 17:51
Similar Happenings
HybridPetya Ransomware Bypasses UEFI Secure Boot via CVE-2024-7344
A new ransomware strain, HybridPetya, has been discovered. It resembles the Petya/NotPetya malware and can bypass UEFI Secure Boot using the CVE-2024-7344 vulnerability. HybridPetya encrypts the Master File Table (MFT) on NTFS-formatted partitions and installs a malicious EFI application on the EFI System Partition. The ransomware has two main components: a bootkit and an installer. The bootkit handles encryption and decryption processes, displaying fake CHKDSK messages to deceive victims. The ransom note demands $1,000 in Bitcoin, with a wallet receiving $183.32 between February and May 2025. HybridPetya exploits a remote code execution vulnerability in the Howyar Reloader UEFI application, allowing it to bypass Secure Boot. The variant uses a specially crafted file named 'cloak.dat' to load the bootkit binary. Microsoft revoked the vulnerable binary in January 2025. ESET's telemetry data indicates no evidence of HybridPetya being used in the wild, suggesting it may be a proof-of-concept (PoC). The ransomware incorporates characteristics from both Petya and NotPetya, including the visual style and attack chain. It drops several files into the EFI System Partition, including configuration, validation, and encryption progress tracking files. The ransom note provides a 32-character key for decryption and system restoration upon payment. Indicators of compromise for HybridPetya are available on a GitHub repository. Microsoft fixed CVE-2024-7344 with the January 2025 Patch Tuesday updates.
Akira Ransomware Exploits SonicWall SSL VPN Flaws and Misconfigurations
The Akira ransomware group has been actively exploiting vulnerabilities and misconfigurations in SonicWall SSL VPN devices to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting organizations globally, including those in Australia. The attacks leverage a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings to bypass access controls and facilitate ransomware deployment. The threat actors use a combination of brute-forcing credentials, exploiting default configurations, and leveraging the Virtual Office Portal to configure multi-factor authentication (MFA) with valid accounts. These tactics allow them to bypass security measures and gain unauthorized access to networks. SonicWall has confirmed that recent SSLVPN activity is related to CVE-2024-40766, not a zero-day vulnerability. The affected firewall versions include specific models of Gen 5, Gen 6, and Gen 7 devices. Organizations are advised to update to firmware version 7.3.0 or later, rotate passwords, enforce MFA, mitigate the SSLVPN Default Groups risk, and restrict Virtual Office Portal access to trusted/internal networks to mitigate risks.
Wayne Memorial Hospital Ransomware Attack Affects 160,000 Individuals
Wayne Memorial Hospital (WMH) in Georgia has disclosed a ransomware attack that occurred in May 2024, impacting over 160,000 individuals. The breach involved unauthorized access to sensitive personal and medical information. The hospital identified the incident on June 3, 2024, and took immediate steps to secure its network and restore systems from backups. The Monti ransomware group has been linked to the attack. The compromised data includes names, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, medical history, and prescription details. WMH is offering affected individuals 12 months of free credit monitoring and identity theft protection services. The hospital engaged legal counsel and cybersecurity professionals to investigate the attack and implement additional security measures.
Exploit chain in Sitecore Experience Platform enables remote code execution
Three new vulnerabilities in the Sitecore Experience Platform can be chained to achieve remote code execution (RCE). The flaws include HTML cache poisoning, RCE through insecure deserialization, and information disclosure via the ItemService API. Patches for these vulnerabilities were released in June and July 2025. The exploit chain leverages a combination of pre-authentication and post-authentication vulnerabilities to compromise fully-patched instances of the platform. Additionally, a zero-day vulnerability (CVE-2025-53690) has been exploited by threat actors to deliver malware, including WeepSteel, and perform extensive reconnaissance and lateral movement. The flaw is a ViewState deserialization vulnerability caused by the inclusion of a sample ASP.NET machine key in pre-2025 Sitecore guides. The attackers target the '/sitecore/blocked.aspx' endpoint, which contains an unauthenticated ViewState field, and achieve RCE under the IIS NETWORK SERVICE account by leveraging CVE-2025-53690. The malicious payload dropped by the attackers is WeepSteel, a reconnaissance backdoor that gathers system, process, disk, and network information. The attack observed by Mandiant stemmed from a documentation issue involving sample machine keys provided for customer use. Sitecore advised customers to rotate and secure ASP.NET machine keys, encrypt
EncryptHub Exploits MSC EvilTwin Vulnerability to Deploy Fickle Stealer
The threat actor EncryptHub continues to exploit the MSC EvilTwin vulnerability (CVE-2025-26633) in Microsoft Management Console (MMC) to deliver malicious payloads, including the Fickle Stealer malware. EncryptHub uses social engineering tactics, such as impersonating IT departments and sending malicious Microsoft Teams requests, to initiate the infection routine. The group has been active since mid-2024 and is known for deploying various stealer malware through multiple vectors. The latest campaign involves dropping two MSC files, one benign and one malicious, to exploit the vulnerability and execute PowerShell commands that establish persistence and communicate with a command-and-control (C2) server. The group also abuses the Brave Support platform to host next-stage malware and uses videoconferencing lures to deceive victims into downloading malicious installers.