Full Report
Rome’s Sapienza University, Europe’s largest university by number of on-campus students, is grappling with a major IT outage following a cyberattack on La Sapienza that disrupted digital services across the institution. The La Sapienza cyberattack has forced the university to take critical systems offline as officials work to contain the incident and restore operations. The university publicly acknowledged the cyberattack on La Sapienza earlier this week through a social media statement, confirming that its IT infrastructure “has been the target of a cyberattack.” As an immediate response, Sapienza ordered a shutdown of its network systems “to ensure the integrity and security of data,” a decision that triggered widespread operational disruptions. Updates to the La Sapienza Cyberattack Sapienza University of Rome enrolls more than 112,500 students, making the impact of the outage particularly significant. Following the incident, university officials notified Italian authorities and established a dedicated technical task force to coordinate remediation and recovery efforts. As of the latest updates, the university’s official website remains offline, and recovery status updates have been communicated primarily through social media channels, including Instagram. To mitigate disruption to students, the university announced the creation of temporary in-person “infopoints.” These locations are intended to provide access to information normally available through digital systems and databases that remain unavailable due to the cyberattack on La Sapienza. Cyberattack on La Sapienza Linked to BabLock Malware While the university has not publicly confirmed the technical nature of the incident or identified those responsible, Italian newspaper Corriere Della Sera reports that the La Sapienza cyberattack bears the hallmarks of a ransomware operation. According to the outlet, the attack is allegedly linked to a previously unknown, pro-Russian threat actor known as “Femwar02.” The reporting suggests the attackers used BabLock malware, also referred to as Rorschach, based on observed malware characteristics and operational behavior. BabLock malware first emerged in 2023 and has attracted researchers' attention for its unusually fast encryption speeds and extensive customization capabilities. Sources cited by Corriere della Sera claim that the systems at Sapienza were encrypted and that a ransom demand exists. However, university staff reportedly have not opened the ransom note, as doing so would trigger a 72-hour countdown timer. As a result, the ransom amount has not been disclosed. This tactic, designed to pressure victims into rapid negotiations, is increasingly common in ransomware campaigns using BabLock malware. Investigation and Recovery Efforts Continue In response to the cyberattack on La Sapienza, university technicians are working alongside Italy’s national Computer Security Incident Response Team (CSIRT), specialists from the Agenzia per la Cybersicurezza Nazionale (ACN), and the Polizia Postale. Their primary objective is to restore systems using backups, which, according to reports, were not affected by the attack. Italy’s national cybersecurity agency has confirmed that it is investigating the incident. However, neither Sapienza University nor Italian authorities have publicly verified whether the attack involved ransomware or whether any data was exfiltrated. This distinction is critical: encryption-only incidents primarily cause operational disruption, while confirmed data theft can trigger additional legal and regulatory obligations under the EU’s General Data Protection Regulation (GDPR).
Analysis Summary
# Incident Report: Major Cyberattack on Sapienza University of Rome
## Executive Summary
Sapienza University of Rome experienced a major IT outage due to a cyberattack that forced the immediate shutdown of critical network systems to secure data integrity. The incident, widely reported to be a ransomware attack utilizing the BabLock malware, has caused significant operational disruption across Europe's largest university. Response efforts are underway involving national cybersecurity agencies, focusing on system restoration via unaffected backups.
## Incident Details
- **Discovery Date:** Earlier this week (Date not specified in context, but publicly acknowledged "earlier this week").
- **Incident Date:** Unknown, prior to public acknowledgment.
- **Affected Organization:** Rome’s Sapienza University (La Sapienza).
- **Sector:** Education (Higher Education).
- **Geography:** Rome, Italy.
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown.
- **Vector:** Presumed Ransomware deployment (BabLock/Rorschach malware).
- **Details:** Systems were allegedly encrypted by the threat actor, linked to a pro-Russian group known as "Femwar02."
### Lateral Movement
- **Date/Time:** Unknown.
- **Vector:** Not specified, but implied by successful encryption across systems.
- **Details:** Attackers leveraged characteristics of the BabLock malware to achieve impact.
### Data Exfiltration/Impact
- **Date/Time:** Concurrent with encryption/Ransom demand phase.
- **Vector:** Encryption and potential data exfiltration (unconfirmed).
- **Details:** Systems were encrypted. A ransom note was reportedly delivered, but officials have not opened it, avoiding a 72-hour countdown trigger. Validity of data exfiltration remains unverified.
### Detection & Response
- **Date/Time:** Prior to "earlier this week."
- **Vector:** Internal detection leading to mandated network shutdown.
- **Details:**
1. University publicly acknowledged the attack via social media.
2. Sapienza ordered an immediate, widespread shutdown of network systems.
3. University notified Italian authorities (CSIRT, ACN, Polizia Postale).
4. Dedicated technical task force established.
5. Temporary in-person "infopoints" created for students.
## Attack Methodology
- **Initial Access:** Not publicly confirmed, but likely system compromise leading to malware deployment.
- **Persistence:** Not specified.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified.
- **Credential Access:** Not specified.
- **Discovery:** Not specified.
- **Lateral Movement:** Implied, based on the widespread disruption and encryption.
- **Collection:** Unknown; potential data exfiltration is unverified but possible under GDPR implications.
- **Exfiltration:** Unconfirmed.
- **Impact:** Widespread system encryption, causing a major IT outage and operational disruption.
## Impact Assessment
- **Financial:** Ransom demand amount undisclosed due to non-engagement with the note.
- **Data Breach:** Unconfirmed if data was exfiltrated. If confirmed, GDPR compliance/reporting obligations are triggered.
- **Operational:** Widespread disruption across the university (over 112,500 students affected); official website offline; reliance shifted to social media updates and physical infopoints.
- **Reputational:** Significant public disruption affecting a major European institution.
## Indicators of Compromise
- **Network Indicators:** None specified (defanged).
- **File Indicators:** BabLock malware (also referred to as Rorschach).
- **Behavioral Indicators:** Rapid encryption speed characteristic of BabLock; deployment of a ransom note with a visible 72-hour countdown timer.
## Response Actions
- **Containment measures:** Immediate network shutdown ordered to ensure data integrity and halt further impact.
- **Eradication steps:** Technicians are working with national agencies (CSIRT, ACN, Polizia Postale) toward system cleanup.
- **Recovery actions:** Primary recovery strategy is restoring systems using backups, which reportedly were unaffected by the attack.
## Lessons Learned
- The swift, preemptive network shutdown, while causing immediate operational pain, successfully prioritized data integrity over immediate service uptime.
- Reliance on outdated communication channels (social media) when core digital infrastructure fails highlights the need for hardened, out-of-band communication plans.
- The tactic of employing a 72-hour ransom countdown timer is an effective pressure method used by actors utilizing BabLock malware.
## Recommendations
- Prioritize immediate full recovery using unaffected backups.
- Conduct a forensic analysis with national authorities to definitively confirm the extent of data exfiltration to ensure compliance with GDPR.
- Review and test alternate, emergency communication protocols independent of the primary IT network infrastructure.
- Harden network access controls to prevent future initial access via vectors leading to sophisticated ransomware like BabLock.