La Sapienza University IT Systems Shut Down After Russian-Linked Cyberattack

An external cyberattack linked to a pro-Russian threat actor has caused La Sapienza University’s IT systems to go offline and has brought operations at the university to a halt, as reported by the local media after the institution posted about the incident on its Instagram.

Network Shutdown Ordered as Precaution

When the university discovered the cyberattack, it announced the incident on social media. As a response to the attack, they completely shut down the entire university IT system.

By doing so, they were able to limit any further destruction caused by this attack while still ensuring the valid and complete existence of every single piece of data in any of their internal records management systems.

According to university officials, this shutdown was purely a precaution and was done for the purpose of protecting the validity and integrity of La Sapienza University’s internal databases and to minimize the possibility of information being lost as a result of this cyberattack.

The cyberattack affected all digital platforms, preventing teachers and students from accessing their assigned databases. Furthermore, La Sapienza University’s official website is currently down.

Authorities Notified, Task Force Activated

The university confirmed it has notified authorities about the incident and established a dedicated technical task force to manage incident response and system recovery for the incident.

Technicians, together with Italy’s Computer Security Incident Response Team (CSIRT), experts from the Italian National Cybersecurity Agency (ACN), and the Police Force’s Cybercrime Unit, are restoring systems from backups unaffected by the breach.

In an effort to minimize disruption, the university announced the creation of temporary “infopoints” throughout campus.

This will allow students to access information that would normally be available online and through digital systems that are currently out of service due to the incident.

Ransomware Suspected, Details Remain Limited

While there has not been any official confirmation from the university regarding the details of this attack, Italian newspaper Corriere Della Sera states that it appears to have traits of ransomware.

Corriere Della Sera reports that investigators suspect the Russian cyber group Femwar02 carried out the attack and encrypted the university’s records using this virus.

This incident reflects a global trend of high-value ransomware attacks on universities, targeted at their valuable research data and complex networks.

The analysis suggests the method of attack has similarities with the ransomware families known as Bablock or Rorschach based on malware characteristics and other operational evidence. Researchers first identified the Rorschach ransomware strain in 2021, noting its very fast file encryption speeds and extensive configuration options.

Based on prior research, the cybersecurity organization Check Point believes that hackers created this malware using components of Babuk, LockBit-2.0, and Darkside from previously disclosed code.

According to Corriere Della Sera, university personnel received a ransom demand, but have not begun a 72-hour countdown due to their inability to open an alert on the ransom demand. Consequently, they do not know how much is being demanded of them in ransom.

Risk of Data Exposure and Security Warnings

Unlike other adversaries involved in ransomware (examples include REvil, Hive, LockBit), Rorschach does not have a publicly accessible leak/ extortion website on the dark web at this time.

Experts report that Rorschach may sell the data it collects or offer it to others who could use it for extortion. If someone attempts to extort money using your data, they are more likely to make it public.

The university is actively working on restoration, but it has not yet set a target date for fully restoring all systems. As forensic teams complete analyses on each usable system, the university will update the public on the overall status of the inquiry.