Detailed Timeline of the Sapienza Cyberattack

Understanding the sequence of events provides critical context for the scale of the disruption. Here's a step-by-step breakdown based on official updates and reports:

• February 1: Initial breach detected; suspected initial access via phishing or exploited vulnerability in outdated software.
• February 2: University activates emergency protocols, shuts down systems, and notifies Italy's Agenzia per la Cybersicurezza Nazionale (ACN).
• February 3: First public statement on Instagram; infopoints established on campus for student support.
• February 4-5: Restoration attempts from clean backups begin; website remains offline.
• February 6-8: Systems still offline as investigations continue; exams proceed manually via professors.

As of February 8, 2026, full operations have not resumed, with technicians coordinating with national authorities.

The Nature of the Ransomware Attack

Ransomware, a type of malicious software that encrypts files and demands payment for decryption keys, is the prime suspect. Specifically, indicators point to BabLock (also known as Rorschach), a sophisticated strain first identified in 2023. This malware combines code from notorious families like Babuk, LockBit 2.0, and DarkSide, enabling rapid encryption of large datasets.

The attackers, tracked as Femwar02—a newly emerged pro-Russian threat actor—allegedly left a ransom note with a 72-hour countdown timer that activates only upon opening. Sapienza staff wisely avoided this to prevent escalation. The malware's design spares systems in Russian or post-Soviet languages, hinting at geopolitical motivations amid ongoing European tensions.TechCrunch Report

Immediate Operational Impacts on Students and Faculty

With over 120,000 users affected, the outage has ripple effects across campus life. The Infostud platform—essential for exam bookings, tuition payments, grade checks, and faculty communications—is inaccessible, forcing manual processes. Students must now coordinate directly with professors for assessments, while administrative tasks like degree applications have seen deadlines extended.

Faculty report limited email access, hindering research collaborations and lecture preparations. Research labs relying on networked servers face delays in data analysis and grant submissions. For international students, particularly those in Europe-wide programs, visa and mobility services are stalled. Yet, in-person classes and exams continue, showcasing resilience.

If you're navigating career challenges amid such disruptions, resources like higher ed career advice can provide stability.

University Response and National Support

Sapienza formed a technical task force immediately, prioritizing isolation and backup restoration. Temporary infopoints on campus offer in-person guidance, though limited by digital dependencies. Communications shifted to Instagram, ensuring transparency without compromising security.

Italy's ACN, Polizia Postale, and CSIRT are deeply involved, analyzing the breach scope and attributing tactics. No payment has been made, aligning with no-ransom policies recommended by experts. Recovery involves rigorous verification of backups to avoid re-infection.

Photo by KOBU Agency on Unsplash

Attribution to Femwar02 and Geopolitical Context

Femwar02, a nascent group, mirrors tactics of state-aligned actors disrupting Western institutions. The selective encryption avoidance of Russian-language systems suggests hybrid warfare elements, possibly retaliation for EU sanctions. While no official claim on dark web portals (Rorschach doesn't maintain one), data exfiltration risks loom under GDPR scrutiny.

Broader Implications for European Higher Education

This incident underscores rising cyber threats to universities, valuable targets due to vast research data, intellectual property, and lax security in legacy systems. In 2025, education saw 251 global ransomware incidents, with Europe experiencing a 21% surge in attacks per GÉANT reports.

Stakeholders—students losing learning time, faculty pausing research, admins overwhelmed—face long-term effects like delayed graduations and funding risks. European unis must bolster defenses amid geopolitical strains.

Statistics on Cyber Threats to Universities

Key data reveals the crisis:

• Education orgs faced 4,356 weekly attacks in early 2025, up 41% YoY (Check Point).
• 39% of European pros report more attacks (ISACA 2025).
• ENISA notes ransomware as top threat for EU institutions.

For faculty eyeing secure environments, check university jobs in Europe.

Similar Cyber Incidents in European Higher Ed

Sapienza isn't alone. Eindhoven University of Technology (Netherlands, Jan 2025) suffered a breach disrupting exams. Other cases include UK and German unis hit by LockBit variants. Patterns: phishing entry, lateral movement, encryption. Lessons: segment networks, train staff.

Best Practices and Solutions for Universities

To fortify defenses:

• Implement multi-factor authentication (MFA) everywhere.
• Regular vulnerability scans and patch management.
• Immutable backups offline.
• Cybersecurity training: simulate phishing quarterly.
• Zero-trust architecture to limit breach spread.

ENISA's Threat Landscape 2025 advocates EU-wide collaboration. Institutions adopting these reduce recovery time by 50%.

Photo by Lukas on Unsplash

Future Outlook and Recovery Prospects

Sapienza aims for phased restoration, potentially weeks away. Long-term, expect enhanced cybersecurity investments, possibly EU funding boosts. For higher ed pros, this era demands resilience; explore higher ed jobs with robust IT.

Stakeholder perspectives: students seek transparency, faculty prioritize research continuity, admins focus on compliance.

Navigating Careers in a Cyber-Threatened Higher Ed Landscape

As disruptions mount, professionals can pivot: rate experiences at Rate My Professor, seek stable roles via university jobs, or upskill through career advice. Post a vacancy at post a job to attract talent undeterred by risks. Sapienza's saga reminds us: preparedness ensures continuity.