Kerberoasting How an email and old passwords plunged 140 hospitals into chaos

Today, we dive into the wonderful world of cyber security, more specifically, into, no, two devastating ransomware attacks on the U.S. health care company Ascension.

There's just been a lot of talk about Microsoft's alleged negligence., But as is so often the case with such things, the truth is deeper. This incident shows how a chain of vulnerabilities, from a weak password to outdated systems, can lead to disaster.

Background: The number of ransomware attacks worldwide is going through the roof, especially in the worthwhile target USA, it jumped in 2024. With over 5,000 reported attacks, an increase of 15 % Compared to 2023, the threat is more real than ever. Half of these attacks targeted organizations, including hospitals, government agencies and private companies. The Ascension case is a tragic example of the human cost of this development.

What happened? Attack on Ascension

Imagine a hospital suddenly cut off from the outside world: No electronic medical records, no appointments, no regulated procedures. This is exactly what happened at Ascension. Only with a factor of 140!
The attack of May 2024 It's not just 140 hospitals that have been shut down. and Data from 5.6 million patients stolen, It also creates life-threatening situations.

The hack started with a small but momentous action: An external contractor clicked on a malicious link in a Bing search result, resulting in the download of a malicious file and the infection of the laptop. This first bug allowed the attackers to spread across the network. From the infected computer, they then gained access to the heart of the network: the Windows Active Directory. Active Directory is the master key for all doors in a company. If you crack it, you almost have the master key for everything.

‘Kerberoasting’: The vulnerability principle

The attackers used a method called Kerberoasting. Sounds like a cozy barbecue, but it's anything but that. They benefited from an ancient vulnerability in Microsoft's Kerberos authentication protocol, which is based on an insecure encryption method.

The problem? Even if newer versions of Active Directory are secure, by default they fall back on the outdated, weaker method when a device, such as an infected laptop, asks for it. It's like installing the latest, most secure alarm system, but the door still opens with your grandpa's old key.

What is Kerberos and how does it work?

For those who want to know more: Kerberos This is a classic authentication protocol from the 80s. It uses temporary ‘tickets’ to confirm that a device or person is authorised. This is safer than constantly resending passwords.

Kerberoasting Take advantage of the fact that every valid user "Service Ticket" can request. This ticket is encrypted with the password hash of the requested service. Attackers steal this ticket, crack the hash offline, and then have full access to the service.

The real cause: Weak passwords and Co.

What went down in the public debate was the role of Ascension itself. Kerberoasting attacks only work if the hashed password is weak enough to be cracked!

The IT security researcher Tim Medin, which coined the term ‘kerberoasting’, is certain: ‘The problem that leads to kerberoasting is fundamentally bad passwords.’ He estimates that even a 10-digit random password would be hard to crack. This suggests that Ascension's compromised password was neither random nor in line with Microsoft's recommendations.

Another expert, Richard Gold, points out further massive security problems:

• Lack of network segmentation: An infected computer should never have direct access to the entire network.
  
• Lack of principle of least rights: User accounts should have only the most necessary access rights.
  
• No tiering architecture: Important systems (such as the domain controller) should be strictly separated from less important ones.

In short: The attackers were able to jump directly from the contractor’s laptop to the central ‘master key’ of the network. This simply shouldn't happen in such a large company. It is a classic case of Security in Depth (or lack thereof). Imagine a boat that has multiple layers to survive a crack in the hull. A single vulnerability should not lead to total failure.

Another, often overlooked problem: The attackers remained undetected for three months, from February to May. This indicates massive deficiencies in network monitoring and intrusion detection.

And as if that's not enough: A Second Data Leak

As if the May 2024 disaster wasn't enough, Ascension once again fell victim to a data leak in a separate incident. How the company started May 2025 In December 2024, the personal data of more than 100,000 people were stolen.

This hack had nothing to do with the Kerberoasting attack. It was carried out via the software of a former Ascension business partner, who in turn used the notorious Cl0p ransomware hack is associated. In addition to SentinelOne, The Boys of Barracuda intensively concerned with the subject. Here, the attackers exploited a vulnerability in a file transfer platform to steal sensitive information. These include:

• Names, addresses, telephone numbers and e-mail addresses
• Social security numbers
• Information on diagnoses and insurance

Ascension was forced to provide free credit and identity protection services to those affected in five different U.S. states for two years. This incident shows once again that the company is struggling with basic security across all channels.

The consequences: If the computer fails

The impact of the hack was devastating and affected human lives. Doctors and nurses were no longer able to access electronic health records. Systems for ordering tests, procedures and medications were paralyzed. A nurse in the US broadcaster NPR reported a frightening experience: He almost gave a baby the wrong dose of an anesthetic because the handwritten documents were confusing.

This incident makes clear what can happen when a healthcare system that has worked completely digitally for years suddenly has to return to paper. Many nurses and caregivers who had never worked with paper documents before suddenly had to resort to decades-old forms crammed out of drawers.

The damage goes far beyond the immediate disruption:

• Increased mortality rate: Studies estimate that the mortality rate in hospitals as a result of a cyberattack by 1-2 % can rise.
  
• Legal consequences: Ascension is already facing lawsuits.
  
• Financial losses: Aside from possible ransom payments and the cost of restoring the systems, cyberattacks can lead to massive revenue losses and hiring bottlenecks.

Microsoft in Criticism

Senator Ron Wyden of the Federal Trade Commission (FTC) officially requested to investigate Microsoft for cybersecurity failures. He accuses the company of endangering the critical U.S. infrastructure through its negligent attitude toward security. Wyden publicly criticised that Microsoft’s ‘de facto monopoly on the enterprise operating system market’ poses a serious threat to national security.

The facts are explosive: Wyden's employees warned Microsoft in the July 2024 in front of the vulnerability. Microsoft published in 8 October 2024 He wrote a blog post about it, but did not promise a direct customer warning or a quick software update. Almost a year later, no update has yet been released to disable outdated encryption by default.

How Ensar Seeker, CISO at SOCRadar, stated: “What happened with Ascension is not just a click or an old encryption standard. These are systemic risks stemming from standard configurations and the architectural complexity of widely used software ecosystems such as Microsoft’s.’

What can organizations learn from this?

The greatest learning from the Ascension debacle is the importance of Preparedness and response planning. It's not enough to just run IT security. You have to assume that an attack will happen at some point.

The most important thing is to have a clear plan and to practice it regularly. Expert Jen Anthony points out: ‘The two biggest factors in an organisation’s response are leadership and communication.’

• Practice, practice, practice: so-called ‘Tabletop exercises’ Simulate a cyber attack. Vulnerabilities are identified, response time is improved and communication channels are tested.
  
• Clear communication: In a crisis, it is essential to communicate openly and honestly to employees and customers/patients in order to maintain trust.

Conclusion: A disaster that was preventable

The attacks on Ascension show that there is not one culprit. Microsoft's convenience in supporting outdated standards has contributed, but the biggest responsibility lies with Ascension itself.

The lack of security standards, from strong passwords to network segmentation to zero trust principles, was the real reason why the May 2024 attack was so successful. A single vulnerability should not have led to the collapse of such a large network. The second incident shows that this is a systematic problem that goes far beyond a single attack vector.

Especially because attackers will always find new ways, it is the task of companies to implement basic security measures and to continuously maintain them. The story of Ascension is a wake-up call for anyone who believes that cyber security is just an issue for the IT department.

Additional resources on the topic:

• Zero trust principle: What is behind this security model?
• Password security: How do you create really strong passwords?
• Active Directory Best Practices: A Guide for Admins to Secure Active Directory.