Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
1 malware family

Femwar02

Also known asFemwar02

Femwar02 is a purported, previously unknown pro-Russian cybercrime group reported by Italian media (including La Stampa and Corriere della Sera) in connection with a disruptive ransomware incident against Sapienza University of Rome (La Sapienza) beginning February 2, 2026, which led the university to take IT systems offline. Reporting attributes the operation to ransomware deployment using a “next-generation” strain referred to as Bablock/BabLock, also linked in coverage to Bablock/Rorschach (Rorschach first observed in 2023), with victim data reportedly remaining encrypted during response efforts. Media reporting also claims the extortion workflow included a ransom-demand link with a 72-hour countdown that would start only after the link is opened, and that staff avoided opening it. The ransomware is described in reporting as typically avoiding encrypting devices configured for Russian or other post-Soviet languages. No additional confirmed victims, sub-groups, or alternative aliases for Femwar02 are provided in the content beyond the name itself and the pro-Russian attribution.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics1 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0040
Impact
1 technique
T1486
Data Encrypted for Impact
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
BablockPublic reports confirm that the University suffered a ransomware attack that disrupted its operations... “What appears certain is the use of a next-generation ransomware strain known as ‘Bablock,’ ... The media report links the security breach to Bablock/Rorschach ransomware based on malware traits and tactics. First seen in 2023, this malware family borrows code from leaked Babuk, LockBit v2.0, and DarkSide code.2Mar 8, 2026
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
security affairsNews
Feb 7, 2026
Italian university La Sapienza still offline to mitigate recent cyber attack

Alleged new cybercrime/ransomware actor linked by Italian media to the ransomware attack that forced Rome’s La Sapienza University to shut down IT infrastructure to contain spread and restore operations.

Read more
scworldNews
Feb 6, 2026
La Sapienza University reportedly hit by ransomware attack, operations disrupted | SC Media

Reportedly conducted a ransomware attack against La Sapienza University in Rome, causing major IT disruption and encrypting data; the operation is described as pro-Russian and used a ransomware strain similar to Bablock/Rorschach (noted for rapid encryption).

Read more
techcrunch com securityNews
Feb 5, 2026
One of Europe's largest universities knocked offline for days after cyberattack | TechCrunch

Alleged ransomware attack against La Sapienza University (Rome), with operators reportedly sending a ransom-demand link featuring a 72-hour countdown that starts upon link click.

Read more
bleeping computerNews
Feb 5, 2026
Italian university La Sapienza goes offline after cyberattack

Allegedly conducted a ransomware attack against Sapienza University of Rome, encrypting data and causing operational disruption; reporting notes malware characteristics/operational patterns similar to Bablock/Rorschach ransomware.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.