{
	"id": "6b6b03fc-c53e-4f23-81c7-b4a736342076",
	"created_at": "2026-04-06T00:14:55.332016Z",
	"updated_at": "2026-04-10T13:11:19.657747Z",
	"deleted_at": null,
	"sha1_hash": "4c8447acfc80f7b17449ca10592118c4de1da777",
	"title": "BlackCat Attacks University of Pisa, Demands $4.5M Ransom",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 130514,
	"plain_text": "BlackCat Attacks University of Pisa, Demands $4.5M Ransom\r\nBy Mihir Bagwe\r\nArchived: 2026-04-05 21:09:17 UTC\r\nCritical Infrastructure Security , Cybercrime , Cybercrime as-a-service\r\nThreat Actor Has Been Targeting the Education Sector in Europe and Elsewhere (MihirBagwe) • June 14, 2022    \r\nBlackCat ransomware appears to have claimed the University of Pisa as its latest victim.\r\nSee Also: AI Pushes Cyberattacks to New Speed Levels\r\nRansomware hackers reportedly seek a ransom of $4.5 million after seizing the university’s IT system.\r\nThe threat actor says the ransom is a \"discount price\" that will increase to $5 million after Thursday,\r\nCybersecurity360 reported. The Italian news site shared a screenshot of the alleged ransom note, which contains a\r\nclock counting down the minutes until the price jump.\r\nThe BlackCat ransomware-as-a-service group, which may be a rebrand of the DarkSide or BlackMatter\r\nransomware groups, is also known as ALPHV. Its products are coded with Rust, a programing language known for\r\nfast performance and structural protections against some types of bugs. Analysis by cybersecurity firm Varonis\r\nshows the group actively recruiting operators with promises that affiliates can keep 90% of victims' payouts.\r\nNews of the attack comes days after the BlackCat ransomware group added the University of Pisa to its darknet\r\nlist of victims, according to cybersecurity firm BetterCyber. The company adds that on Saturday, the threat group\r\nposted on its website: \"Let's play, the University goes to sleep, the mafia wakes up?\"\r\nhttps://www.bankinfosecurity.com/blackcat-attacks-university-pisa-demands-45m-ransom-a-19338\r\nPage 1 of 3\n\nThe University of Pisa did not respond to Information Security Media Group's request for comment.\r\nOn BlackCat's Target List: Educational Institutes\r\nThe University of Pisa, founded in 1343, wouldn't be the first academic institution to fall to BlackCat ransomware.\r\nOn June 2, BlackCat's victim list allegedly grew to include a French educational institute, the Ecole des Ingénieurs\r\nde la Ville de Paris.\r\nThe ransomware group on its darknet website reportedly says it stole from the French institute more than 30\r\ngigabytes worth of personally identifiable and financial information and other data protected by European privacy\r\nregulations.\r\nNeither do European institutions stand alone. Among their North American cohorts are Florida International\r\nUniversity, the North Carolina Agricultural and Technical State University, and a Canadian public school district\r\nin Saskatchewan. In Asia, Bangkok's Asian Institute of Technology also underwent a ransomware attack (see:\r\nUpdate: What's BlackCat Ransomware Been Up to Recently?).\r\nNew Attack Vector\r\nBlackCat ransomware affiliates are leveraging unpatched Microsoft Exchange server vulnerabilities, according to\r\na Monday post by the Microsoft 365 Defender Threat Intelligence team.\r\nHow BlackCat ransomware enters a target organization's network depends on the ransomware-as-a-service\r\naffiliate that deploys it, Microsoft researchers say. The most common method is via remote desktop applications\r\nand compromised credentials. But, \"we also saw a threat actor leverage Exchange server vulnerabilities to gain\r\ntarget network access.\"\r\nBlackCat ransomware attack chain via Exchange vulnerability exploitation (Source: Microsoft)\r\nhttps://www.bankinfosecurity.com/blackcat-attacks-university-pisa-demands-45m-ransom-a-19338\r\nPage 2 of 3\n\nMicrosoft did not specify the Exchange vulnerability. It directs readers to a blog post that offers guidance on\r\nremediation for four ProxyLogon vulnerabilities.\r\nThe BlackCat ransomware family is gaining popularity thanks to its cross-platform capabilities that include\r\nfunctionality on Windows and Linux operating systems and VMWare instances. \"It has extensive capabilities,\r\nincluding self-propagation configurable by an affiliate for their usage and to environment encountered,\" Microsoft\r\nsays. That means no two deployments of its offering might look the same.\r\nSource: https://www.bankinfosecurity.com/blackcat-attacks-university-pisa-demands-45m-ransom-a-19338\r\nhttps://www.bankinfosecurity.com/blackcat-attacks-university-pisa-demands-45m-ransom-a-19338\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bankinfosecurity.com/blackcat-attacks-university-pisa-demands-45m-ransom-a-19338"
	],
	"report_names": [
		"blackcat-attacks-university-pisa-demands-45m-ransom-a-19338"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434495,
	"ts_updated_at": 1775826679,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4c8447acfc80f7b17449ca10592118c4de1da777.pdf",
		"text": "https://archive.orkl.eu/4c8447acfc80f7b17449ca10592118c4de1da777.txt",
		"img": "https://archive.orkl.eu/4c8447acfc80f7b17449ca10592118c4de1da777.jpg"
	}
}