La Sapienza University in Rome, one of Europe's largest universities with around 120,000 students, just entered its third day of digital darkness. The school's entire computer infrastructure went down Tuesday following what Italian authorities are investigating as a ransomware attack - forcing the institution to pull the plug on email, workstations, and its main website. While exams continue in-person, the scope of the disruption reveals just how vulnerable even massive educational institutions remain to cyberattacks.
La Sapienza University of Rome, home to roughly 120,000 students and faculty, is now in its third consecutive day without functional computer systems after what appears to be a sophisticated ransomware attack. The institution - one of Europe's largest and oldest universities - announced Tuesday via Instagram that it had proactively shut down its digital infrastructure following a cyberattack, leaving email servers, workstations, and the university's main website completely offline.
The timing couldn't be worse. Mid-semester operations ground to a halt as students found themselves unable to register for exams online, access course materials, or communicate through official channels. According to TechCrunch, the university confirmed that "some communication channels such as email and workstations are 'partially limited'" - though as of Thursday, the school's website remained completely inaccessible.
Italian newspaper Il Corriere della Sera reported Wednesday that hackers sent university officials a ransom demand with a 72-hour countdown timer - but here's the twist: the clock doesn't start until someone clicks the link. It's a psychological pressure tactic that gives attackers control over the negotiation timeline while the university scrambles to assess the damage.
Behind the attack appears to be a group calling itself Femwar02, a name that didn't exist in cybersecurity circles until this week. According to follow-up reporting from Il Corriere, the hackers deployed BabLock malware - also known as Rorschach - which was first discovered in 2023 and is known for its speed and sophistication. Group-IB documented how this particular ransomware variant can encrypt systems faster than most defensive tools can react.
The emergence of Femwar02 as a new player adds another wrinkle to an already chaotic ransomware landscape. While established gangs like LockBit and ALPHV have grabbed headlines, smaller groups continue to emerge, often leveraging existing malware strains to launch their own operations. The use of BabLock suggests these attackers have access to sophisticated tools, even if their reputation hasn't caught up yet.
Italy's national cybersecurity agency, Agenzia per la Cybersicurezza Nazionale (ACN), confirmed it's investigating but hasn't officially labeled the incident as ransomware. The agency didn't respond to requests for additional details about the attack's scope or whether any data was exfiltrated before systems were encrypted.
La Sapienza told students through social media that it's rebuilding from backups that weren't compromised in the attack - a crucial detail that could mean the difference between a weeks-long recovery and a months-long nightmare. The university set up physical "infopoints" across campus where students can get updates and register for exams the old-fashioned way: directly with professors.
But the operational workarounds don't hide the fundamental vulnerability. Universities have become prime ransomware targets because they hold valuable research data, personal information on thousands of students and staff, and typically operate with limited security budgets stretched across sprawling digital infrastructures. Last year, the notorious ShinyHunters group hit both Harvard and the University of Pennsylvania, stealing data without even deploying encryption in an effort to extort the schools. Neither institution paid, and the hackers leaked the stolen information this week.
The La Sapienza incident follows a familiar pattern: attackers breach networks, move laterally to identify critical systems, exfiltrate sensitive data as leverage, then deploy ransomware to maximize pressure. The three-day outage suggests the encryption was comprehensive, affecting not just individual machines but core infrastructure that takes time to rebuild even with clean backups.
What makes this attack particularly concerning is its scale. With 120,000 users suddenly cut off from digital services, La Sapienza represents one of the largest educational institution attacks in recent European history. The ripple effects extend beyond inconvenience - research projects stall, administrative deadlines slip, and students face uncertainty about their academic records.
The university hasn't disclosed whether it's considering paying the ransom or what amount the attackers are demanding. Il Corriere's reporting suggests it could be substantial, though specific figures haven't been confirmed. Most cybersecurity experts and law enforcement agencies advise against paying, arguing it funds future attacks and offers no guarantee of data recovery.
The La Sapienza attack underscores a hard truth about modern cybersecurity: size doesn't equal safety. One of Europe's premier educational institutions with over a century of history can be brought to its knees by a previously unknown hacking group using off-the-shelf malware. As universities worldwide watch this incident unfold, the lesson is clear - it's not about if you'll be targeted, but when, and whether you'll have the backups and response plans to survive it. For the 120,000 students and staff at La Sapienza, the question now is how long until normal operations resume and whether any sensitive research or personal data ends up in criminal hands.