Since February 2, the University of Rome “La Sapienza” has been grappling with one of the most serious cyber incidents ever recorded in the Italian academic sector. For several days, the institutional website and numerous essential digital services remained unavailable, with a direct impact on students, teachers, and administrative staff.
As of today, many elements are still under investigation.
Communication management was fragmented and cautious, while the technical aspects of the attack gradually emerged through journalistic sources and independent analysis.
A structured and deliberate cyberattack
The available information suggests that this was not a simple malfunction or opportunistic attack. All indicators point to a targeted operation, planned and carried out with extensive access to the university’s internal infrastructure.
According to the most credible technical hypotheses, initial access was gained by compromising an account with elevated privileges, most likely a system administrator. This type of access allows attackers to move laterally within the network, identify critical systems, and compromise central authentication and data management services.
The initial compromise methods have not been officially confirmed, but they fall within the typical scenarios observed in attacks of this type: targeted phishing, use of weak or reused credentials, or exploitation of outdated systems and legacy technologies still present in the infrastructure.
Custom ransomware not linked to known groups
After gaining initial access, the attackers distributed ransomware malware, causing significant portions of the systems to be encrypted and rendering numerous digital services unavailable.
It is important to clarify a point that is often simplified in media reports: at present, there is no solid confirmation that the malware belongs to a specific known ransomware gang. No public claims have been made, nor has sufficient technical evidence emerged to link the operation to a known actor. Names circulated in the early stages are not found in major CTI databases, nor are they associated with public extortion infrastructures, leak sites, or previously documented campaigns.
The elements observed suggest rather the use of a custom or semi-custom payload, compatible with models already seen in the past in operations not attributable to RaaS (Ransomware-as-a-Service) schemes. In these cases, the malware is used as an operational tool within a targeted attack, without public exposure and without formal claims.
Certain technical details, such as the absence of a public extortion campaign or immediate publication of the data, indicate a discreet approach, geared toward direct control of the victim rather than media pressure. This method of operation is consistent with groups or independent operators who favor confidential negotiations and low-profile operations.
Any reference to geographical origins or geopolitical affiliations, in the absence of verifiable evidence, remains purely speculative at this time.
Ransom and Incident Management
A file containing instructions for paying a ransom in cryptocurrency was reportedly found on the compromised systems. The amount demanded has not been made public. According to reports, the university adopted a cautious strategy, avoiding direct interaction with the content of the message so as not to trigger automatic mechanisms linked to extortion.
At the same time, a complex process of forensic analysis and remediation of the infrastructure was initiated, with the support of the Postal Police and the National Cybersecurity Agency. Services were restored gradually to reduce the risk of reinfection or further compromise.
The most critical issue: data
One of the most sensitive aspects concerns the possible exfiltration of data prior to encryption. La Sapienza manages personal and administrative information belonging to hundreds of thousands of people, as well as academic and research data.
At present, it has not been officially clarified whether any data has been stolen, or if so, what kind. However, in attacks of this type, preventive exfiltration is a common practice, used as an additional means of putting pressure on the victim. Even if the data is not published immediately, the risk of fraudulent use in the medium term remains real.
A case study for the academic sector
The cyberattack on Sapienza University of Rome is not an isolated incident, but part of a well-established trend that sees universities and public institutions as prime targets for targeted ransomware operations. Complex infrastructures, heterogeneous environments, and the long-standing coexistence of modern and legacy systems increase the attack surface and make defense particularly complex.
This incident highlights the importance of rigorous privileged access management, effective network segmentation, and tested, realistic incident response plans.
While recovery efforts continue and investigations are ongoing, one thing is clear: the Sapienza case sends a strong message to the entire Italian public and academic sector, which must consider cybersecurity not as an ancillary issue, but as a structural element of business continuity.
Analysis by Vasily Kononov – Threat Intelligence Lead, CYBEROO
