Cyber Incident Victim: University of Milano-Bicocca
Date:
May 2017
Location:
Italy
Summary
The University of Milano-Bicocca experienced a WannaCry ransomware infection affecting 4-5 student laboratory computers in its informatics department building. The attack vector was traced to an external USB drive that introduced the malware to isolated systems not connected to institutional databases. No data compromise occurred due to the segregated nature of the impacted machines, which were exclusively used for student activities. Affected computers underwent re-cloning and reformatting procedures before being restored to operational status. The incident remained contained without broader network consequences.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 12, 2017, the University of Milano-Bicocca in Milan, Italy, experienced a cybersecurity incident involving the WannaCry ransomware. The attack specifically targeted 4-5 computers within a student laboratory located in building U14, which housed the university's informatics department. Initial analysis indicated the ransomware entered the university systems through an infected USB flash drive that had previously been contaminated outside the university network. This portable storage device subsequently transmitted the malware to the laboratory computers when connected. The compromised machines were isolated student workstations not integrated with the institution's central databases or primary network infrastructure, limiting the attack's potential reach.
University technical teams responded by immediately isolating the affected systems to prevent lateral movement of the ransomware. Forensic examination confirmed the malware variant as WannaCry, which was concurrently causing global disruptions across multiple sectors. As the infected computers served only as standalone student workstations without sensitive data connections, the university confirmed no institutional databases or confidential information were compromised. Remediation involved complete reimaging ("recloning") of the infected machines through reformatting and restoration from clean backups. This process eliminated the ransomware and allowed the computers to return to normal operation. The incident concluded without ransom payments or further propagation within university systems, with no evidence suggesting targeted exploitation beyond the initial USB transmission vector.