I agree with your conclusion, but keep in mind that most policies don't cover things that are actuarially impossible to predict, like acts of war. Both sides of this situation seem to have reasonable cases; the results will depend on the definition of "act of war."
Is "Criminal organization decides to create damaging ransomware" really so substantially different from "Criminal organization (known as the Russian Federation) decides to create damaging ransomware" that Zurich actuaries can earnestly predict the likelihood of one but not the other?
I assert that the line between cyberwar and cybercrime is very faint.
