Uffizi cyberattack: BabLock TTPs, IOCs and attribution gaps
In early 2026, the cyberattack on the Uffizi Galleries became one of the most discussed security incidents in the Italian public sector. The controversy was not only about the intrusion itself, but also about the gap between media reporting and official statements. Several outlets described a ransomware-style operation with extortion and possible data theft, while museum leadership stated that no critical security data or operational passwords had been compromised.
In that context, one malware family repeatedly appeared in technical commentary: BabLock, also tracked by some researchers as Rorschach. Attribution is still incomplete, but the malware’s behavior is documented well enough to support defensive planning. BabLock is especially relevant because it combines high encryption speed, stealthy execution and strong lateral movement potential in Windows enterprise environments.
Why BabLock matters in this case
The most detailed early reporting describes an attack against administrative systems between late January and early February 2026, followed by an alleged ransom demand and claims of stolen internal material. The museum publicly rejected the most severe claims, stating that no passwords had been stolen and that physical security systems had not been compromised.
At the same time, media reports described the attackers as a ransomware-oriented group possibly linked to Eastern Europe, and Corriere della Sera mentioned MedusaLocker as a candidate attribution. The same reporting referred to an investigation for attempted extortion and unauthorized access to computer systems. Attribution remains uncertain, but the case still justifies a close look at BabLock’s operating model, especially because BabLock has already been linked to attacks against La Sapienza University of Rome.
BabLock, often referred to as Rorschach in Check Point research, stands out for speed, evasive execution and flexibility in enterprise networks. Both Trend Micro and Check Point describe a malware family that borrows ideas seen in other ransomware operations while keeping a distinct implementation profile.
TTP and IOC mapping for BabLock/Rorschach
The table below is a practical analyst reference. It maps publicly documented BabLock/Rorschach behaviors to MITRE ATT&CK techniques, summarizes their operational meaning and adds concrete defensive actions.
| Category | TTP / IOC | MITRE ATT&CK | Operational detail | Defensive countermeasures |
|---|---|---|---|---|
| Initial access | Exploit public-facing application | T1190 | The clearest documented entry path is exploitation of an Internet-facing application, especially Zimbra Collaboration through an arbitrary file upload flaw leading to remote code execution. | Patch Internet-facing services quickly, deploy WAF controls, isolate webmail and exposed application tiers, monitor suspicious uploads, and use virtual patching where direct remediation is delayed. |
| Execution | Windows Command Shell | T1059.003 | Analysts observed the abuse of commands such as bcdedit.exe and net1.exe to alter system behavior and prepare the environment for impact. |
Log process creation centrally, alert on suspicious LOLBins, restrict command execution with AppLocker or WDAC, and build detections for bcdedit, net, vssadmin and related tooling. |
| Execution | Windows Management Instrumentation | T1047 | WMIC is used for system actions including deletion of shadow copies and other administrative operations that support ransomware execution. | Enable WMI logging, restrict remote administrative execution, watch for anomalous WMIC usage, and tie detections to follow-on recovery impairment events. |
| Defense evasion | DLL side-loading | T1574.002 | BabLock loads malicious components through a legitimate signed executable, a classic side-loading pattern that reduces initial suspicion. | Use application control, monitor unexpected DLL search order behavior, verify integrity of installed binaries, and alert on signed applications loading libraries from unusual paths. |
| Defense evasion | Process injection | T1055 | The payload is decrypted and injected into notepad.exe, giving the attacker a way to blend malicious execution into a normal Windows process. |
Use EDR memory scanning, alert on process hollowing or remote thread creation, baseline normal behavior for notepad.exe, and investigate suspicious module loads into low-risk processes. |
| Defense evasion | Native API / direct syscalls | T1106 | BabLock relies on direct syscalls and low-level API usage to reduce telemetry and complicate user-mode monitoring and forensic reconstruction. | Favor kernel-aware sensors, use behavior analytics rather than signature-only rules, monitor for unusual syscall-heavy processes, and enrich hunts with memory and ETW telemetry. |
| Defense evasion | Impair defenses | T1562.001 | The malware attempts to terminate or degrade security products and other protective components before encryption. | Enable tamper protection on security agents, harden admin privileges, separate security tooling from standard endpoint admins, and alert on service stop attempts against EDR and AV components. |
| Defense evasion | Disable or modify system firewall | T1562.004 | Host firewall settings may be altered or disabled to reduce containment and ease follow-on actions. | Enforce firewall policy centrally, deny local override where possible, audit any configuration changes, and correlate firewall changes with privilege escalation or shadow copy deletion. |
| Defense evasion | Clear Windows Event Logs | T1070.001 | The malware clears Windows event logs to reduce visibility and hinder incident reconstruction. | Forward logs to a remote SIEM, alert on log clearing, preserve immutable copies of critical telemetry, and trigger containment when log deletion is chained with ransomware indicators. |
| Discovery | File and directory discovery | T1083 | The malware enumerates files and folders before selecting targets for encryption and impact. | Watch for high-volume recursive enumeration, restrict access to sensitive shares by role, and use decoy files or canary folders to detect hostile browsing behavior early. |
| Discovery | Process discovery | T1057 | Active process enumeration helps the operator identify security tools, databases and other services worth stopping before encryption. | Detect frequent process listing from unusual accounts, link process discovery to later service stop attempts, and maintain strong EDR baselines for administrative activity. |
| Discovery | System information discovery | T1082 | The malware collects system information, including the operating system language, to shape its execution logic. | Build detections for burst discovery commands, reduce standing admin rights, and correlate system recon with suspicious network or file activity within the same session. |
| Discovery | Network share discovery | T1135 | Public reporting indicates share enumeration behavior consistent with expansion across file servers and mapped resources. | Segment SMB traffic, limit writable shares, enable detailed auditing on critical file servers, and deploy honey shares to catch early lateral discovery. |
| Lateral movement | Group Policy modification / GPO propagation | T1484.001 | If run on a Domain Controller, BabLock can create a Group Policy Object to distribute itself to additional domain-joined systems, turning one compromise into a domain-wide event. | Apply administrative tiering, closely monitor GPO changes, require change control on privileged policies, isolate Domain Controllers, and alert immediately on unauthorized GPO creation or edits. |
| Impact | Inhibit system recovery | T1490 | The malware deletes shadow copies and interferes with recovery mechanisms to make restoration harder after encryption. | Maintain offline and immutable backups, detect vssadmin and WMIC shadow copy deletion, separate backup administration from domain administration, and test restoration procedures regularly. |
| Impact | Service stop | T1489 | BabLock stops services, especially databases, backup-related components and server processes that may block or slow encryption. | Alert on abrupt service stops, protect critical services with restricted permissions, isolate backup servers, and use automatic restart or containment rules for essential workloads. |
| Impact | Data encrypted for impact | T1486 | This ransomware is known for extremely fast file encryption, supported by efficient multithreading via I/O completion ports. In Check Point tests, it encrypted a test environment in roughly 4 minutes and 30 seconds. | Use canary files, rate-based ransomware detections, auto-isolate hosts showing mass rename or write bursts, and preserve immutable backups outside the normal trust domain. |
| IOC file | cy.exe |
— | Trend Micro reported this filename among the malware artifacts and associated sample metadata. | Push known hashes and filenames to EDR and SIEM, run retrospective hunts across endpoints and malware repositories, and quarantine any matching sample for triage. |
| IOC file | winutils.dll |
— | This DLL appears among the components documented in technical analysis and can support loader or side-loading detection. | Deploy YARA and IOC matching, hunt for unusual library loads, and review occurrences of the same filename outside trusted software locations. |
| IOC note | _r_e_a_d_m_e.txt |
— | This ransom note filename has been repeatedly reported by analysts and can be a useful forensic clue during rapid triage. | Use file integrity monitoring, search all endpoints and shares for the note, and tie detections to recent encryption or service stoppage events. |
| IOC extension | k1k2k3 plus numeric suffix 00-99 |
— | Encrypted files may receive this extension pattern, with variable numeric suffixes that are unusual and useful in detection engineering. | Build detections for sudden appearance of the pattern across endpoints or shares, auto-contain affected hosts, and scan file servers for mass extension changes in near real time. |
| IOC behavior | notepad.exe injection |
— | The use of notepad.exe as a host process is a behavior-based indicator that supports higher-confidence hunting than filename-only detection. |
Detect process hollowing and remote thread injection, baseline legitimate notepad.exe usage, and collect memory artifacts from suspicious endpoints quickly. |
| IOC behavior | Payload hidden in config.ini |
— | BabLock stores or decodes part of its payload from a file named config.ini, turning a seemingly benign configuration file into a staging container. |
Hunt for high-entropy or binary-like .ini files, monitor unexpected reads by signed utilities, and add integrity checks to application directories where configuration files should remain static. |
What defenders should prioritize
If this family is behind the Uffizi intrusion, the main lesson is procedural, not nominal. Defenders gain the first detection opportunities at the exposed application layer, especially in Internet-facing email, collaboration and CMS services. If that stage is missed, the next best opportunities are process anomalies: DLL side-loading, suspicious notepad.exe activity, aggressive use of administrative tools, and tampering with logs or shadow copies.
The most dangerous turning point is domain-level privilege. At that point, service stopping, share discovery and GPO-based propagation can transform a local breach into a full enterprise outage in minutes. Domain Controllers, backup infrastructure and central logging should therefore be treated as strategic assets, not routine servers. Public institutions and cultural organizations also need to balance confidentiality with availability and recovery speed.
In environments where digital services run ticketing, archives, administration and internal communications together, the largest impact often comes from lateral movement, not from the initial exploit alone. The Uffizi case, the Sapienza attack and similar incidents in Italy show that this is an operational risk, not a theoretical one.
Attribution caution
The technical profile above is useful because it supports detection engineering even with incomplete attribution. Attribution discipline still matters. Reporting around the Uffizi case includes references to an Eastern European nexus, extortion messages and ransomware hypotheses, while the museum has publicly denied the theft of critical security information.
The analytical conclusion is simple: the incident is confirmed, the extent of data theft remains contested, and BabLock/Rorschach is a plausible but unconfirmed attribution candidate. For threat intelligence work, this is enough to guide monitoring and hardening, provided confidence levels are stated explicitly and reviewed as new evidence appears.