Wyden’s Right on Ransomware — But RC4 Isn’t the Villain

Oregon’s Senior Senator Ron Wyden lit up headlines this week by urging the FTC to investigate Microsoft for “gross cybersecurity negligence” tied to ransomware. He went so far as to say Microsoft has become “an arsonist selling firefighting services to their victims.” This isn’t the first time Senator Wyden has been banging the drum on cybersecurity. He’s been vocal on Salt Typhoon and the need for the Federal Judiciary to get serious about securing its judiciary’s case-management system. As a fellow Oregonian, I applaud his actions…. More people in his role need to take action to secure our digital future. That said, I disagree with him on who he paints as the villain for ransomware.

My senator’s message is strong. It’s one that resonates with security leaders who’ve had enough of preventable ransomware attacks. Hospitals going dark. Schools shut down. Local governments forced offline. We’re in 2025, and ransomware still feels like an unsolved problem.

But let’s get to the meat of this. Wyden’s technical villain of choice, the RC4 encryption algorithm, is not what’s keeping ransomware gangs in business. Yes, RC4 is outdated and insecure. Yes, it should have been retired years ago. But focusing national attention on RC4 is like blaming the locks on the windows while leaving the front door wide open.

RC4: A Symbol, Not the Root Cause

For those who don’t live and breathe crypto, RC4 is a stream cipher invented in the late 1980s. It was popular because it was fast, but by the mid-2000s the academic world had torn it apart. Weak keys, predictable output — it’s been on the “do not use” list for years.

Microsoft still supports RC4 in some Kerberos flows for backward compatibility. That’s the hook Wyden grabbed onto. He’s not wrong: insecure defaults are a problem. But here’s the truth: ransomware operators aren’t sitting around running RC4 cracking rigs. Microsoft itself says RC4 accounts for less than 0.1% of its traffic and has committed to disabling it by default in 2026. That doesn’t exactly spell “root cause.” Worse RC4 isn’t helping attackers get in and do their work. Sidenote, if you really want to go down the crypto path, debate IPSec vs Wireguard for remote access VPNs.

The Real Playbook Ransomware Operators Use

The uncomfortable truth is that ransomware thrives not because of broken algorithms, but because of broken fundamentals. This was the message I provided this week in the Midwest where I briefed a good number of K-12 IT leaders on the tactics of the Medusa ransomware “as a service” organization. BTW - yes, RWaaS is a real thing. And yes, they operate in the fashion of the McDonalds franchise model. Alright, back to the key point of this article. If we want to fix the problem, we have to stop chasing symbolic villains and start hitting the actual playbook:

1. Credential Theft & Abuse

Attackers don’t brute-force encryption. They steal identities.

• Phishing still works — that one click on a malicious link leads to token theft or credential capture.

• Tools like Mimikatz let attackers dump cached creds and replay them with ease.

• Pass-the-Hash and Pass-the-Ticket attacks remain brutally effective in Active Directory environments.

Once they’ve got a domain admin account, the encryption algorithm is irrelevant. They own the keys to the kingdom. Recommendation – treat identity like it should be, keys to the kingdom. Monitor it closely and invest in a “just in time” administrative tools.

2. Unpatched Systems

If there’s a VPN, Citrix gateway, or Exchange server that hasn’t been patched in the last 60 days, it’s probably already on a ransomware crew’s radar. These groups patch faster than enterprises — scanning the internet within hours of a CVE drop.

The biggest intrusions of the last three years? They didn’t come from crypto weaknesses. They came from unpatched software sitting exposed on the edge. Recommendation – ditch VPN for ZTNA.

3. Weak MFA or None at All

MFA is supposed to be the silver bullet, but it’s often misconfigured or weak. Push-based MFA spamming (fatigue attacks) is still landing victims in 2025. Worse, some environments still rely on password-only VPN or RDP access. That’s not a crypto problem — that’s negligence.

Recommendation – Look into phishing-resistant MFA (like FIDO2 keys). While still rare, it stops entire classes of attacks cold. If not, find a balance solution similar to Okta verify with number matching.

4. Flat Networks

This is where things get ugly. Once inside, attackers often find wide-open lateral movement. Flat networks mean one compromised laptop can eventually lead to domain controllers, ERP systems, or hospital imaging equipment.

This is why segmentation — identity-based, least-privilege, Zero Trust segmentation — matters. Without it, containment is impossible. Recommendation – look into role based segmentation solutions.

5. Exposed Remote Services

Believe it or not, open RDP ports are still one of the top entry points. Attackers brute-force weak credentials, buy creds on the dark web, or exploit outdated RDP servers. The lesson: if it’s open to the internet, assume it’s compromised. Recommendation - See above. ZTNA “this is the way”

6. Initial Access Brokers

There’s now a mature underground economy where brokers specialize in breaking into companies. They phish, they drop malware like Qakbot or IcedID, and then they sell the foothold to ransomware crews. It’s a supply chain problem, not a cipher problem. Recommendation – see all of the above! Educate the employees you support and uplevel system monitoring.

7. Poor Backups & Recovery

Even when organizations get encryption under control, they often fail at recovery.

• Backups are connected to the network and get encrypted too.

• Or the backups are corrupted, incomplete, or never tested.

• Or recovery takes weeks, which for a hospital or school is as good as down forever.

Recommendation – test recovery and run ransomware simulation tabletop exercises with your leadership team. Be ready when the monsters get inside the walls!

What Wyden Got Right — and Wrong

Wyden is right about insecure defaults. Microsoft (and the industry as a whole) has leaned on convenience for too long. Backward compatibility is a liability. Shipping insecure defaults is a liability. And customers pay the price.

But here’s the miss: RC4 isn’t why Ascension Health went down. RC4 isn’t why schools shut their doors. RC4 isn’t why ransomware is still a billion-dollar industry.

The causes are painfully basic. Weak identity. Patch delays. Flat networks. MFA fatigue. Backups that don’t restore.

That’s not as headline-grabbing as “Microsoft left RC4 turned on,” but it’s the truth practitioners need to hear.

The Real Call to Action

So yes, let’s kill RC4 once and for all. But if Congress, regulators, and enterprises want to make a dent in ransomware, here’s the real call to action:

• Make phishing-resistant MFA the norm, not the exception.

• Patch like your life depends on it — because sometimes it does.

• Ditch your VPN for ZTNA

• Segment networks so one laptop compromise doesn’t become an enterprise-wide disaster.

• Shut down exposed RDP and remote services once and for all.

• Break the Initial Access Broker supply chain.

• Test your backups — don’t just assume they’ll save you.

Ransomware isn’t exotic. It’s not crypto magic. It’s attackers exploiting the same weaknesses they’ve been exploiting for years. Until we fix those, we’ll keep watching hospitals divert patients and schools cancel classes.

The fix isn’t sexy, but it works: identity, segmentation, patching, MFA, and tested recovery. That’s how we kill ransomware’s business model.

Last item, Senator Wyden, while I disagree with you on the technical, keep doing what you are doing and be that strong independent voice. It’s who we are in Oregon and reflected in the state's modo - “Alis Volat Propriis” — Latin for “She flies with her own wings.”