Full Report
Rome's "La Sapienza" university has been targeted by a cyberattack that impacted its IT systems and caused widespread operational disruptions at the educational institute. [...]
Analysis Summary
# Incident Report: La Sapienza Ransomware Attack
## Executive Summary
La Sapienza university in Rome was targeted by a significant cyberattack, confirmed to be a ransomware incident likely orchestrated by the pro-Russian threat actor Femwar02. The attack resulted in widespread disruption to IT systems, forcing an immediate shutdown of the network for precautionary measures and data integrity assurance. Authorities were notified, and recovery efforts are underway with backups reportedly intact.
## Incident Details
- Discovery Date: Early this week (Date not precisely specified in source, prior to Feb 5, 2026)
- Incident Date: Early this week (Date not precisely specified in source, prior to Feb 5, 2026)
- Affected Organization: La Sapienza University of Rome
- Sector: Education
- Geography: Rome, Italy
## Timeline of Events
### Initial Access
- Date/Time: Unknown
- Vector: Details not disclosed by the university; external reporting suggests exploitation leading to ransomware deployment.
- Details: Attack initiated compromise, leading to detection and subsequent shutdown.
### Lateral Movement
- Date/Time: Unknown (Preceded Impact)
- Vector: Implied through ransomware deployment across systems.
- Details: Attackers moved through the network, resulting in data encryption across IT systems.
### Data Exfiltration/Impact
- Date/Time: Unknown
- Vector: Ransomware (Bablock/Rorschach strain suspected).
- Details: Data was encrypted. Reporting suggests potential for data exfiltration, although this is not confirmed by the university.
### Detection & Response
- Date/Time: Upon initial confirmation of compromise ("earlier this week")
- Vector: Internal identification of cyberattack activity.
- Details: The university issued an immediate shutdown of network systems as a precautionary measure. Authorities (Italian CSIRT, ACN, Polizia Postale) were notified, and technical task forces were formed for remediation.
## Attack Methodology
- Initial Access: Unknown (Likely exploiting a vulnerability or weak entry point).
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown, though the encryption mechanism suggests successful circumvention of endpoint security to propagate.
- Credential Access: Unknown, but implied for successful encryption deployment.
- Discovery: Unknown.
- Lateral Movement: Implied, to achieve widespread system impact.
- Collection: Potential, as the Rorschach strain suggests data extortion post-encryption.
- Exfiltration: Potential, though not confirmed.
- Impact: Data encryption, leading to system downtime and operational outage. Ransom demand suspected but not confirmed due to not opening the ransom note.
## Impact Assessment
- Financial: Not disclosed; potential costs related to recovery and potential ransom negotiation/payment avoidance.
- Data Breach: High risk of unauthorized access/encryption of data; potential for future public release via data extortion groups.
- Operational: Severe—Widespread operational disruptions; website offline; temporary "infopoints" established to inform students due to unavailabiity of digital systems and databases.
- Reputational: Negative publicity; requires ongoing communication demonstrating effective recovery.
## Indicators of Compromise
- Network indicators: None specified (Defanged by context).
- File indicators: Suspected use of ransomware similar to Bablock/Rorschach strain (a mix of Babuk, LockBit v2.0, and DarkSide components).
- Behavioral indicators: System-wide data encryption; sudden network shutdown.
## Response Actions
- Containment measures: Immediate shutdown of network systems ordered to "ensure the integrity and security of data."
- Eradication steps: Technical task force initiated alongside national cybersecurity agencies (CSIRT, ACN) and police (Polizia Postale).
- Recovery actions: Restoration procedures initiated using backups, which reportedly were not impacted by the encryption.
## Lessons Learned
- Criticality of Backup Integrity: Maintaining segregated and tested backups proved vital for restoration efforts.
- Incident Communication: The necessity of quick, transparent communication, even with limited details (using alternative channels like Instagram).
- Ransomware Preparedness: Incident highlights the risk posed by sophisticated ransomware variants like Rorschach/Bablock.
## Recommendations
- Immediately review and enhance network segmentation to limit lateral movement following initial compromise.
- Conduct thorough investigation into the initial access vector to patch vulnerabilities exploited by the threat actor.
- Increase monitoring for signs of data staging/exfiltration, even if the primary attack vector was encryption.
- Conduct mandatory security awareness training, specifically warning staff and students about potential follow-up phishing attempts targeting recovery confusion.