La Sapienza University of Rome, one of Europe’s largest higher-education institutions with about 120,000 students, has been forced offline for days following a disruptive cyberattack that has crippled core IT services and left its website inaccessible.
The university said it proactively shut down systems to contain the incident while teams work to restore services from unaffected backups. Email, campus workstations, and other communication channels remain partially limited as digital services are brought back online in phases.
- Italy’s flagship university hit as core systems go offline
- Ransomware suspected but unconfirmed amid investigation
- What to know about BabLock ransomware and its tactics
- Why universities are prime targets for cybercriminals
- Operational fallout and student impact across campus
- What comes next as authorities assess scope and damage
Italy’s flagship university hit as core systems go offline
As a research powerhouse spanning medicine, engineering, and the humanities, La Sapienza depends heavily on centralized platforms for exams, enrollment, and research collaboration. Early indications suggest the institution prioritized containment over continuity, a move consistent with best practice when there’s a risk of malware propagation or data exfiltration.
Campus operations have not fully halted. The university said exams are proceeding, though students must register directly with professors until online tools return. Temporary “infopoints” across campus are providing guidance while online portals remain down.
Ransomware suspected but unconfirmed amid investigation
Italian media reports attribute the outage to a ransomware incident and name a previously unknown group, “Femwar02,” allegedly using the BabLock malware, also known as Rorschach. According to those reports, the attackers delivered a ransom demand via a link that starts a 72-hour countdown only when clicked—an intimidation tactic meant to pressure victims into rapid negotiation.
Italy’s national cybersecurity agency, Agenzia per la Cybersicurezza Nazionale, is investigating. Neither the university nor authorities have publicly confirmed the ransomware diagnosis or whether any data was taken. That distinction matters: encryption-only attacks primarily disrupt operations, but data theft raises legal and privacy obligations under GDPR and can prolong recovery.
What to know about BabLock ransomware and its tactics
BabLock, dubbed Rorschach by researchers who examined it in 2023, is a highly efficient ransomware strain known for rapid, multi-threaded encryption and extensive use of “living off the land” techniques to blend in with normal Windows activity. Operators often combine encryption with data exfiltration to exert “double extortion,” threatening leaks even if backups enable restoration.
While the reported group behind this attack appears new, the tooling is not. The education sector has seen a steady rotation of criminal crews deploying well-known families with customized playbooks, often entering via compromised credentials, vulnerable VPNs, or exposed remote services.
Why universities are prime targets for cybercriminals
Universities operate sprawling, heterogeneous networks that mix research labs, student devices, legacy systems, and cloud apps—an ideal environment for lateral movement. Open access principles and federated IT models can complicate centralized security controls, while high-value datasets (from biomedical research to personal records) increase extortion leverage.
The European Union Agency for Cybersecurity has consistently ranked ransomware among the top threats across the bloc, with education repeatedly singled out as a high-activity sector. IBM’s latest Cost of a Data Breach report notes the global average breach cost rose to $4.88M, underscoring how prolonged outages and incident response can rapidly inflate expenses even before factoring in ransom payments.
Recent cases show the breadth of impact. Maastricht University paid a ransom in 2019 to recover systems, later recouping funds after law enforcement seizures. The University of Duisburg-Essen spent months rebuilding after a 2022 attack. And data-theft-only operations—such as intrusions attributed to ShinyHunters against prominent U.S. universities—demonstrate that encryption is not required for painful, public extortion.
Operational fallout and student impact across campus
The immediate priority at La Sapienza is safe restoration, which typically involves rebuilding identity services, validating backups, and reissuing credentials where necessary. The university’s statement that backups were not affected is encouraging and suggests a shorter tail for technical recovery—though thorough forensic analysis can extend timelines as teams triage and harden systems.
Students and staff should expect staged restorations and tighter security controls: forced password resets, expanded multi-factor authentication, and temporary limits on remote access. If investigators confirm data theft, formal notifications and credit monitoring guidance may follow, as required by privacy law and sector norms.
What comes next as authorities assess scope and damage
In the coming days, watch for confirmation of the attack type, clarity on any data exposure, and indicators-of-compromise shared with the wider higher-ed community. Under emerging NIS2 obligations in the EU, major incidents typically trigger rapid reporting to national authorities, which helps coordinate defenses across sectors.
Longer term, universities are doubling down on fundamentals: segmented networks, immutable and offline backups, tighter identity governance, continuous monitoring, and tabletop exercises that streamline decisions when minutes matter. La Sapienza’s choice to isolate systems early reflects that shift—contain first, then restore—aimed at limiting damage in a threat landscape where speed and resilience decide outcomes.
