Europe’s Largest University Knocked Offline by Ransomware Attack

La Sapienza University of Rome, one of Europe's largest universities with approximately 120,000 students, has been without functioning computer systems for three days following what authorities are investigating as a ransomware attack. The university made the decision to shut down its entire digital infrastructure on Tuesday after discovering the breach, leaving students and staff unable to access email, workstations, or the institution's main website.

The shutdown came after the university detected that its IT systems had been targeted in a cyberattack. To protect data and prevent further damage, university officials immediately disconnected all network systems as a precautionary measure. A technical task force was formed to assess the extent of the attack and begin restoration procedures, working alongside Italy's National Cybersecurity Agency.

Background

La Sapienza, founded in 1303, is one of the oldest and largest universities in Europe. Based in Rome, it serves over 112,500 enrolled students across multiple campuses. The institution is a major research hub and educational center, making the outage particularly disruptive to academic operations.

Cyberattacks on universities have become increasingly common in recent years. Educational institutions often hold valuable data and lack the strong security infrastructure of larger corporations, making them attractive targets for hackers. In 2025, other major universities including Harvard and the University of Pennsylvania were targeted by hackers seeking to extort money from the institutions.

Key Details

According to Italian newspaper Corriere della Sera, the attack involved ransomware sent by a group calling itself Femwar02. The attackers reportedly sent university officials a link containing a ransom demand, which includes a 72-hour countdown timer. However, the timer only begins once someone clicks the link, giving the attackers control over the negotiation timeline while the university works to restore its systems.

The malware used in the attack appears to be BabLock, also known as Rorschach, which was first discovered in 2023. This ransomware strain is known for its fast encryption speeds and extensive customization options. Security researchers at Check Point have determined that Rorschach was built using code from leaked sources of several notorious ransomware families, including Babuk, LockBit v2.0, and DarkSide.

University Response and Recovery Efforts

The university has not publicly confirmed details about the ransom demand or the specific amount requested. Staff members have deliberately avoided opening the ransom message to prevent the countdown timer from starting, according to reports from Corriere della Sera.

Technicians at the university are working to restore systems using backup copies, which were not affected by the attack. The restoration effort involves collaboration with Italy's National Cybersecurity Agency, the Italian Computer Security Incident Response Team (CSIRT), and the Polizia Postale, the country's postal and communications police.

"As a precautionary measure, and in order to ensure the integrity and security of data, an immediate shutdown of network systems has been ordered," the university said in a statement.

While the university's website remains offline, some essential services have been partially restored. Exams are continuing in person, though students who want to register for exams must do so directly with their professors rather than through the usual online system. The university has set up temporary information points on campus to help students access information that would normally be available through digital systems.

The Infostud portal, which students use to book exams, print certificates, and manage their academic records, is currently unavailable. Email and workstation access have been described as "partially limited" as recovery efforts continue.

What This Means

The attack highlights the vulnerability of even major institutions to sophisticated cyber threats. La Sapienza's status as Europe's largest university by student enrollment makes this one of the most significant educational cyberattacks on record, affecting the operations of a major research and teaching institution.

The fact that Femwar02 appears to be a previously unknown group adds another layer of concern. The emergence of new ransomware gangs, particularly those using established malware code, suggests that the threat landscape continues to evolve. While Rorschach does not operate a public extortion portal on the dark web where stolen data is typically displayed, there remains a risk that any data obtained in the attack could be sold or shared with other criminal groups that do operate such portals.

For students and staff at the university, the disruption extends beyond mere inconvenience. Mid-semester operations have been severely impacted, with academic planning, course registration, and communication all affected. The university has advised all users to remain vigilant against phishing attacks and to monitor their accounts for suspicious activity.

The incident also raises questions about cybersecurity preparedness at large institutions. While the university's decision to maintain offline backups proved beneficial for recovery, the attack still resulted in days of operational downtime. As universities continue to digitize their operations, the need for strong security measures becomes increasingly critical.