A U.S. senator is calling on the Federal Trade Commission to investigate Microsoft, accusing the company of gross cybersecurity negligence tied to Windows’ default encryption settings. Senator Ron Wyden argues that relying on an obsolete cipher by default exposes large organizations to ransomware risk in ways Microsoft has not adequately disclosed to customers.
Wyden links the 2024 ransomware breach at Ascension to the default use of RC4 in Active Directory and Kerberos within Windows environments, noting that attackers were able to capitalize on this setup to exfiltrate data from 5.6 million patients’ medical records.
HeCharacterizes the situation as the second time in as many years that he has described Microsoft’s security practices as negligent, citing what he calls dangerous software engineering decisions that can allow a single compromised workstation to trigger a company‑wide infection.
Security researchers, including cryptography expert Matt Green of Johns Hopkins University, explain that RC4’s lack of salt and single iteration makes offline password cracking feasible, enabling Kerberoasting against accounts protected by weak encryption. The technique has been known since 2014 and remains a risk in misconfigured Active Directory deployments.
Microsoft has acknowledged concerns about RC4 and says it intends to deprecate the cipher. In public remarks, the company stated RC4 is being phased out, with plans to disable it by default for new Active Directory deployments and broader mitigations in 2026, a timeline that Wyden says should come with clear warnings for customers about RC4’s persistence in existing systems.
