In both those situations whilst it isn't the victims fault, it will invalidate their insurance and any loss is theirs to sort out. So when buying IT services you need to include in the contract the security of it too, a Ransomware attack such as this (and not just because one user infects one machine) would be the fault of the IT provider