Understanding the Timeline of the Sapienza University Cyberattack
The cyberattack on Sapienza University of Rome unfolded rapidly in early February 2026, catching one of Europe's premier academic institutions off guard. On February 2, reports emerged of unusual activity within the university's IT infrastructure. By February 3, Sapienza officially disclosed the incident via its Instagram account, announcing that its systems had been targeted and that an immediate shutdown of network systems was ordered as a precautionary measure to safeguard data integrity and security. This decision left the university's website, student portals, and internal communications largely inaccessible.
As of February 5, the outage had persisted for three full days, with core services still offline. Updates from the university indicated that technicians were working tirelessly to restore operations from unaffected backups. By February 6, partial restorations began, including the Identity Management system, allowing limited authentication to federated services. However, platforms like Infostud—the central hub for exam bookings, tuition payments, and academic records—remained down, forcing manual workarounds.
Throughout the week, Sapienza communicated primarily through social media, providing status updates and advising students to visit physical infopoints on campus. The incident highlighted the fragility of digital dependencies in modern higher education, where a single breach can halt operations across a sprawling institution serving over 115,000 students.
Sapienza University: A Pillar of European Higher Education
Founded in 1303, Sapienza University of Rome stands as Italy's flagship institution and Europe's largest university by enrollment, boasting more than 115,000 students and 8,000 faculty and staff across 11 faculties and numerous research centers. Its campuses span central Rome, encompassing historic sites and modern facilities dedicated to fields ranging from medicine and engineering to humanities and sciences. Sapienza consistently ranks among the top 150 universities globally, contributing significantly to Italy's research output and Europe's knowledge economy.
The university's scale amplifies the stakes of any disruption. Its Infostud platform alone handles millions of transactions annually, from course registrations to thesis submissions. When ransomware struck, it didn't just affect Rome—it reverberated across Europe, as Sapienza hosts thousands of international students and collaborates on pan-continental projects funded by the European Union.
The Nature of the Attack: BabLock Ransomware Explained
Investigations point to BabLock ransomware, also known as Rorschach or Bablock, a sophisticated strain first identified in 2023. This malware derives from leaked source code of notorious families like Babuk, LockBit version 2.0, and DarkSide, enabling rapid encryption of files and systems. Unlike traditional ransomware that simply locks data, BabLock is customized for speed and evasion, often avoiding devices set to Russian or post-Soviet languages—a telltale sign of its pro-Russian origins.
The attack likely began with phishing or exploited vulnerabilities, allowing intruders to move laterally across networks. Once entrenched, the malware encrypted critical servers—estimated at around 400—and displayed a ransom note with a link promising a 72-hour countdown upon activation. Demands were rumored to reach one million euros in Bitcoin, though Sapienza refrained from engaging, prioritizing containment over negotiation.
Suspected perpetrators include Femwar02, a newly tracked pro-Russian cybercrime group. While no official attribution has been confirmed, the malware's characteristics align with tactics used in prior education-sector hits.
Immediate Impacts on Students, Faculty, and Operations
The outage plunged Sapienza back to analog operations reminiscent of the 1990s. Students faced chaos: unable to access Infostud, they couldn't book exams, verify tuition status, or contact professors digitally. Exams proceeded, but registrations shifted to direct interactions with faculty, leading to long lines and scheduling conflicts.
- Administrative deadlines, such as degree applications, were extended.
- Research labs lost access to shared drives and email, stalling collaborations.
- International students struggled with visa-related document retrievals.
- Campus infopoints became overwhelmed, handling queries manually.
Faculty reported using personal devices cautiously, while administrative staff resorted to paper records. The disruption affected over 120,000 users, underscoring how universities, with their vast personal data troves, are prime ransomware targets.
Institutional Response: Swift Containment and Recovery
Sapienza's crisis team acted decisively, forming a technical task force in coordination with student representatives and administrative units. Backups proved crucial, enabling phased restoration without compromise. By February 6, core authentication services returned online after rigorous security testing.
Communication remained transparent via Instagram, with posts detailing progress: "The system of Identity Management of Ateneo has been restored. It is now possible to authenticate to the main federated services." Further rollouts targeted Infostud and workstations, emphasizing functionality verification.
No ransom was paid, aligning with best practices that discourage funding criminals. Instead, focus shifted to resilience, including enhanced monitoring and segmentation.
TechCrunch coverage details the early response phases.Government and Expert Involvement in Mitigation
Italy's Agenzia per la Cybersicurezza Nazionale (ACN) and Polizia Postale joined immediately, alongside the national CSIRT. Their expertise aided breach scoping and forensic analysis, ensuring compliance with EU cybersecurity directives like NIS2.
Experts note that universities often lag in zero-trust architectures and regular patching—gaps exploited here. Recovery timelines vary, but Sapienza's proactive shutdown minimized lateral movement.
BleepingComputer analysis on ransomware traits provides technical insights.Broader Implications for European Higher Education
This incident isn't isolated. European universities face escalating threats: Eindhoven University of Technology suffered a major breach in January 2025, disrupting classes. Across the continent, higher education accounts for 10-15% of ransomware victims, per 2026 reports, due to sensitive research data and underfunded IT budgets.
Implications include eroded trust, delayed research outputs, and financial losses—estimated at millions for recovery alone. For Europe, it pressures alignment with the Cyber Resilience Act, mandating robust defenses for critical sectors.
Lessons from Sapienza: Best Practices for University Cybersecurity
- Implement multi-factor authentication (MFA) universally.
- Conduct regular phishing simulations and backups tested quarterly.
- Adopt endpoint detection and response (EDR) tools.
- Develop incident response plans with tabletop exercises.
- Segment networks to limit breach spread.
For higher education professionals seeking roles in IT security, resources like higher ed jobs at AcademicJobs.com offer opportunities to bolster defenses.
Comparative Case Studies: Other European University Attacks
Sapienza joins a grim list. In 2025, a French university consortium faced LockBit, leaking theses data. UK institutions reported 20% rise in attempts per NCSC stats. These cases reveal common vectors: unpatched VPNs and insider threats.
Differences: Sapienza's scale amplified impact, but swift response contained damage better than prolonged outages elsewhere.
Times Higher Education report contextualizes within trends.Future Outlook: Building Resilient Academic Networks
Looking ahead, EU funding via Horizon Europe will prioritize cybersecurity R&D. Universities must invest in AI-driven threat hunting and staff training. For faculty and admins eyeing career growth, higher ed career advice emphasizes skills in compliance and risk management.
Sapienza's recovery signals hope: full operations expected soon, with fortified systems. This could catalyze sector-wide upgrades, ensuring digital continuity.
Navigating Cybersecurity Careers in Higher Education
The attack underscores demand for cybersecurity experts in academia. Roles in threat analysis and compliance are booming. Explore openings at university jobs or research jobs to contribute. Platforms like Rate My Professor highlight secure environments valued by peers.
Photo by Catalin Paterau on Unsplash
