Femwar02

Also known as: Femwar02

Femwar02 is a previously unknown pro-Russian ransomware threat actor that emerged in early 2026, linked to a major cyberattack on Italy’s Sapienza University of Rome in February 2026, which caused a full network shutdown and operational disruptions. The group deploys Bablock (also known as Rorschach), a next-generation ransomware strain first identified in 2023 that features fast hybrid encryption (curve25519 and hc-128), partial file encryption for speed, direct system calls to evade detection, and domain-wide propagation via Group Policy on Windows Domain Controllers. Bablock shares code similarities with LockBit 2.0 but incorporates elements from other families like Babuk and DarkSide, often delivered via encrypted payloads, DLL sideloading with tools like DarkLoader, and exploits such as those in Zimbra or phishing. Notably, the malware skips encrypting files written in Russian, reinforcing its pro-Russian alignment, with no prior attributions or campaigns documented before the Sapienza incident.

🌍 Country Russia

Introduction

Femwar02 is a previously unknown pro-Russian ransomware threat actor that emerged in early 2026, linked to a major cyberattack on Italy’s Sapienza University of Rome in February 2026, which caused a full network shutdown and operational disruptions. The group deploys Bablock (also known as Rorschach), a next-generation ransomware strain first identified in 2023 that features fast hybrid encryption (curve25519 and hc-128), partial file encryption for speed, direct system calls to evade detection, and domain-wide propagation via Group Policy on Windows Domain Controllers. Bablock shares code similarities with LockBit 2.0 but incorporates elements from other families like Babuk and DarkSide, often delivered via encrypted payloads, DLL sideloading with tools like DarkLoader, and exploits such as those in Zimbra or phishing. Notably, the malware skips encrypting files written in Russian, reinforcing its pro-Russian alignment, with no prior attributions or campaigns documented before the Sapienza incident.

Activities and Tactics

Country of Origin: πŸ‡·πŸ‡Ί Russia

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • Unknown Logger
  • CyberGate
  • Cyber Eye RAT
  • Windows Remote Desktop
  • Xploit

Attribution and Evidence

Country of Origin: Russia Additional attribution information pending cataloguing.

References

References pending cataloguing.