Security firms are known for hyping up the risks to various online threats and coming close to describing this environment as a state of war. But one insurer has really called a ransomware attack an act of war – and this is no hyperbole – they are refusing to pay the claim for damages caused by ransomware. Well, that’s a nasty bit of FUD – Fear, Uncertainty, and Dread.
Just the facts
The issue here is the NotPetya ransomware attack back in 2017-2018. The operations of Mondelez, an American snack food giant were hit. They had problems with hardware, software, and the attack had an impact on their daily operations – distribution and filling orders.
The good thing was that they had an insurance policy from Zurich American Insurance Company that covered all sorts of vulnerabilities such as risks from physical loss and the damages caused by malicious machine code. So Mondelez filed the claim – for $100 million. While Zurich initially offered a much smaller settlement amount, this offer was also walked back and Zurich refused to pay out anything, stating that the NotPetya attack was actually an “Act of war” and explicitly not covered under the terms of the insurance policy. Mondelez has now sued.
Petya and NotPetya go to work
Petya and NotPetya are two related bits of ransomware that utilized exploits from the NSA toolbox. NotPetya had a particular affinity for Ukrainian targets. In particular, an estimated 80% of the 2018 attack wave were in the Ukraine. The top targets were energy companies, utilities, and the electric grid. Thanks to its targeted distribution in the country and it being launched on the eve of the Ukrainian Constitution Day holiday, it is believed to have been a politically motivated attack. Notable victims included the Maersk shipping giant, the Chernobyl radiation detection systems, and Mondelez. It was believed to have been one of the most damaging ransomware attacks to far.
Zurich plays the war card
Faced with a claim of $100 million, Zurich American Insurance Company has refused to pay out – saying that the ransomware attack was an Act of War – and that is excluded from coverage. The problem is headed to the courtroom. However, analysts say that Zurich will have to find a smoking gun to show that Russia – or a specific nation state – was behind the attack.
This is more than just $100 million worth of snacks. State-sponsored activities have been a major part of many malware attacks and data thefts of recent years – think Stuxnet (USA and Israel), think North Korea hacking film studios, think of that massive hack of Equifax. Either way this lawsuit goes, the impact on businesses, insurance in general, and that budding market called cyber-insurance will be around for a long time.