When Mer­ck was hit with a ran­somware at­tack in 2017, the phar­ma gi­ant was in fact just col­lat­er­al dam­age from a virus Rus­sia aimed at Ukraine, and the com­pa­ny is strug­gling to re­coup its loss­es be­cause its $1.75 bil­lion in­sur­ance plan doesn’t cov­er acts of war.

Those are de­tails from a rich­ly re­port­ed Bloomberg News sto­ry out yes­ter­day ex­plor­ing how a geopo­lit­i­cal fight in East­ern Eu­rope ac­ci­den­tal­ly en­tan­gled a New Jer­sey-based phar­ma­ceu­ti­cal com­pa­ny and sparked law­suits with ma­jor ram­i­fi­ca­tions for the fu­ture of in­sur­ance and cy­ber­crime.

Mer­ck em­ploy­ees log­ging on to their com­put­ers on June 27, 2017 were greet­ed with a po­lite mes­sage in pink let­ters: “Ooops, your im­por­tant files are en­crypt­ed. … We guar­an­tee that you can re­cov­er all your files safe­ly and eas­i­ly. All you need to do is sub­mit the pay­ment.” The pay­ment was $300 in bit­coin, per com­put­er.

The screen Mer­ck em­ploy­ees saw from the Petya at­tack

Ear­ly on, it was clear that Mer­ck was one vic­tim of a glob­al at­tack that al­so hit Dan­ish ship­ping com­pa­ny Maer­sk, Amer­i­can food com­pa­ny Mon­delez, French con­struc­tion gi­ant Saint-Gob­ain and even the sys­tems mon­i­tor­ing the Cher­nobyl nu­clear pow­er sta­tions, among oth­ers.

Un­like Cher­nobyl, though, it ap­pears that Mer­ck was not an in­tend­ed tar­get. The at­tack was dubbed Not­Petya, a cre­ation of the GRU Russ­ian mil­i­tary in­tel­li­gence agency (the same one that at­tacked the De­mo­c­ra­t­ic Na­tion­al Com­mit­tee), and it was de­signed to strike com­pa­nies and agen­cies in Ukraine, a coun­try that had been in con­flict with Rus­sia since 2014. But, per Bloomberg, Not­Petya con­t­a­m­i­nat­ed a tax soft­ware ap­pli­ca­tion, M.E.Doc, that was run­ning on a serv­er in Mer­ck’s Ukraine of­fice.

From there, it spread to the phar­ma gi­ant’s head­quar­ters, where it would elim­i­nate — in some cas­es — years of re­search, crip­ple Gardis­al 9 pro­duc­tion fa­cil­i­ties and even­tu­al­ly cause (by Mer­ck’s es­ti­mate) $1.3 bil­lion in dam­ages. Mer­ck, though, had a prop­er­ty in­sur­ance plan worth up to $1.75 bil­lion that cov­ered com­put­er da­ta, cod­ing and soft­ware (af­ter a $150 mil­lion de­ductible). But when Mer­ck went to ac­ti­vate the plan, most of their 30 in­sur­ers re­ject­ed them. Your plan doesn’t cov­er dam­ages from mil­i­tary ac­tion, they told “shocked” Mer­ck of­fi­cials.

What fol­lowed were, not sur­pris­ing­ly, a string of law­suits, with Mer­ck claim­ing that it was hit by a cy­ber — not a mil­i­tary — event. These law­suits, Bloomberg re­ports, are be­ing watched for the prece­dents they may set around how fu­ture cy­ber­crime is clas­si­fied.

The in­sur­ers are try­ing to prove two things: that the at­tack re­al­ly did come from Rus­sia and that Mer­ck was not as vig­i­lant as it could have been in pro­tect­ing their da­ta. Mer­ck, as End­points News re­port­ed short­ly af­ter the at­tack, had missed two op­por­tu­ni­ties to in­oc­u­late them­selves against the virus be­fore they were struck.

On Rus­sia, the in­sur­ers have got­ten a hand from the White House. Last year, the Trump Ad­min­is­tra­tion wrote with­out equiv­o­ca­tion that the at­tack “was part of the Krem­lin’s on­go­ing ef­fort to desta­bi­lize Ukraine and demon­strates ever more clear­ly Rus­sia’s in­volve­ment in the on­go­ing con­flict.”

“When the pres­i­dent of the Unit­ed States comes out and says, ‘It’s Rus­sia,’ it’s go­ing to be hard to fight,” Jake Williams, a for­mer Na­tion­al Se­cu­ri­ty Agency hack­er who now helps com­pa­nies hunt for vul­ner­a­bil­i­ties in their com­put­er net­works, told Bloomberg. “I’ll be sur­prised if the in­sur­ance com­pa­nies don’t get a win. This is as sol­id a case as they’re go­ing to get.”

But some le­gal ex­perts ex­pressed greater skep­ti­cism of the in­sur­ers’ case. All signs may point to Russ­ian cul­pa­bil­i­ty but when it comes to cy­ber, it’s not clear what mil­i­tary ac­tion means.

“It’s not go­ing to be an easy case for a judge in the U.S. to de­clare that this was an act of war,” Cather­ine Lotri­onte, a for­mer CIA lawyer who’s taught at George­town Uni­ver­si­ty, told Bloomberg.

An FDA advisory committee noted with concern a small safety database but unanimously endorsed a Horizon Therapeutics drug for a rare eye autoimmune disease that can blind patients: teprotumumab for thyroid eye disease (TED).

“It was a pretty easy vote,” said Erica Brittain, an NIH biostatistician and one of the 12 panelists on FDA’s Dermatologic and Ophthalmic Drugs Advisory Committee.

Timing is Everything
When we launched Octagon Therapeutics in late 2017, I was convinced that the time was right for a new antibiotic discovery venture. The company was founded on impressive academic pedigree and the management team had known each other for years. Our first program was based on a compelling approach to targeting central metabolism in the most dangerous bacterial pathogens. We had already shown a high level of efficacy in animal infection models and knew our drug was safe in humans.

Amid Shehnaaz Suliman’s lengthy resume it could be easy to miss her stint leading early-stage Alzheimer’s R&D at Genentech, where she oversaw a program for the ill-fated crenezumab and initiated one of the first prevention studies around the devastating neurodegenerative disease. But it is this experience that she — after thinking long and hard about her next career move over the past months — will be leaning heavily on as the first president and COO of Alector.

Biogen’s fierce focus on disorders of the brain has hit another roadblock.

On Friday, the US drugmaker — which recently resurrected its amyloid-targeting Alzheimer’s drug, aducanumab — said its anti-tau drug, gosuranemab, failed a mid-stage study in patients with progressive supranuclear palsy (PSP), a rare brain disorder that results from deterioration of brain cells that control movement and thought.