In February 2024, Ascension, a major healthcare provider, suffered a devastating **ransomware attack** initiated when a contractor clicked a phishing link via Microsoft Bing and Edge. The attack exploited **Kerberoasting**, leveraging Microsoft’s outdated **RC4 encryption** (a 1980s protocol long deemed insecure) to gain administrative privileges through **Active Directory**. Hackers then deployed ransomware across **thousands of systems**, compromising **personal data, medical records, payment/insurance details, and government IDs of over 5.6 million patients**. The breach disrupted hospital operations, delayed critical treatments, and exposed systemic vulnerabilities tied to Microsoft’s default security configurations—including weak password policies for privileged accounts. Despite repeated warnings from **CISA, FBI, and NSA** about RC4 and Kerberoasting risks (notably by state actors like Iran), Microsoft had yet to disable RC4 by default, prolonging exposure. Ascension’s incident underscores the cascading impact of **legacy encryption flaws**, **poor default security settings**, and **third-party contractor risks** in healthcare cybersecurity.
TPRM report: https://www.rankiteo.com/company/ascensionorg
"id": "asc5102151091125",
"linkid": "ascensionorg",
"type": "Ransomware",
"date": "2/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '5.6 million patients',
'industry': 'healthcare',
'location': 'United States',
'name': 'Ascension',
'type': 'healthcare provider'}],
'attack_vector': ['phishing',
'exploitation of outdated encryption (RC4)',
'Kerberoasting',
'privilege escalation via Active Directory'],
'data_breach': {'data_encryption': 'no (RC4 encryption exploited)',
'data_exfiltration': 'yes',
'number_of_records_exposed': '5.6 million',
'personally_identifiable_information': 'yes',
'sensitivity_of_data': 'high (PII, PHI, financial data)',
'type_of_data_compromised': ['personal data',
'medical records',
'payment information',
'insurance details',
'government IDs']},
'date_detected': '2024-02',
'description': 'A ransomware attack on Ascension hospital in 2024 resulted in '
'the theft of personal data, medical data, payment '
'information, insurance information, and government IDs for '
'over 5.6 million patients. The attack originated from a '
'contractor clicking a phishing link via Microsoft Bing and '
"Edge, exploiting vulnerabilities in Microsoft's Active "
'Directory (Kerberoasting technique) due to outdated RC4 '
'encryption support. Hackers gained administrative privileges '
'and deployed ransomware across thousands of systems.',
'impact': {'brand_reputation_impact': 'high (public scrutiny, regulatory '
'concern)',
'data_compromised': ['personal data',
'medical records',
'payment information',
'insurance information',
'government IDs'],
'identity_theft_risk': 'high (5.6M records exposed)',
'operational_impact': 'severe (healthcare operations disrupted)',
'payment_information_risk': 'high',
'systems_affected': 'thousands of computers'},
'initial_access_broker': {'entry_point': 'phishing link clicked via Microsoft '
'Bing/Edge on contractor’s laptop',
'high_value_targets': ['Active Directory '
'administrative privileges']},
'investigation_status': 'ongoing (FTC investigation requested by Sen. Wyden)',
'lessons_learned': ['Default configurations in enterprise software (e.g., '
'Microsoft Active Directory) can enable large-scale '
'breaches if outdated protocols (e.g., RC4) are retained.',
'Kerberoasting exploits persist due to legacy encryption '
'support, despite decades of warnings.',
'Organizations rarely modify default security settings, '
'placing burden on vendors to enforce secure defaults.',
'Phishing remains a critical initial access vector, '
'especially via default applications (e.g., Microsoft '
'Edge/Bing).'],
'motivation': ['financial gain (ransomware)', 'data theft'],
'post_incident_analysis': {'corrective_actions': ['Microsoft’s planned '
'deprecation of RC4 (Q1 '
'2026 for Active '
'Directory).',
'Ascension likely '
'implemented stricter '
'password policies and '
'Active Directory '
'monitoring post-breach.'],
'root_causes': ['Use of obsolete RC4 encryption in '
'Active Directory (enabled by '
'default).',
'Default weak password policies '
'for privileged accounts.',
'Phishing attack via default '
'Microsoft applications '
'(Edge/Bing).',
'Lack of network segmentation '
'allowing lateral movement to '
'thousands of systems.']},
'ransomware': {'data_encryption': 'yes (ransomware deployed across systems)',
'data_exfiltration': 'yes'},
'recommendations': ['Microsoft should disable RC4 by default immediately '
'(planned for Q1 2026 is insufficient).',
'Enforce stronger default password policies for '
'privileged accounts (e.g., 14+ characters).',
'Healthcare sector should prioritize patching Active '
'Directory vulnerabilities and monitoring for '
'Kerberoasting.',
'Vendors must proactively deprecate obsolete encryption '
'standards, even if it risks breaking legacy systems.',
'Public disclosure of timelines for security fixes should '
'be accelerated to reduce exposure windows.'],
'references': [{'source': 'CyberScoop'},
{'source': 'Sen. Ron Wyden’s letter to FTC Chair Andrew '
'Ferguson'},
{'source': 'CISA, FBI, NSA joint advisory (2023–2024) on '
'RC4/Kerberoasting'}],
'regulatory_compliance': {'legal_actions': ["Sen. Ron Wyden's call for FTC "
"investigation into Microsoft's "
'default security configurations'],
'regulatory_notifications': ['CISA, FBI, NSA '
'warnings (2023–2024) '
'about '
'RC4/Kerberoasting '
'exploits in '
'healthcare']},
'stakeholder_advisories': ['Sen. Wyden’s oversight findings shared with '
'Ascension and Microsoft'],
'title': 'Ascension Hospital Ransomware Attack (2024)',
'type': ['ransomware', 'data breach', 'phishing'],
'vulnerability_exploited': ['RC4 encryption (obsolete since 1980s)',
'Kerberoasting in Active Directory',
'default weak password policies (privileged '
'accounts <14 characters)']}