The Uffizi Gallery in Florence, one of the world's most renowned art museums and Italian cultural institutions, confirmed a ransomware attack by the Medusalocker threat group. The attackers demanded €300,000 in cryptocurrency as ransom, delivered as an ultimatum to Gallery Director Simone Verde in early February 2026 with a 72-hour payment deadline. Italian law enforcement opened a criminal investigation for attempted extortion and unauthorized computer system access. The attack was characterized as professional and methodical by investigators, with attackers spending months in the Gallery's systems exfiltrating data before deploying ransomware encryption. The threat group claimed to have stolen accounting data, employee personal information, contact information, art scans, databases, architectural projects, and security plans. The breach represents a significant compromise of a UNESCO World Heritage site and demonstrates the targeting of high-profile cultural institutions by organized international cybercriminal groups.

What Happened

The Uffizi Gallery Florence confirmed a ransomware attack by the Medusalocker threat group that resulted in successful compromise of the Gallery's computer systems and exfiltration of sensitive institutional data. The attackers demanded €300,000 in cryptocurrency ransom with a 72-hour payment deadline and threatened to publish stolen data on dark web marketplaces.

Confirmed Facts:

• Victim: Uffizi Gallery Florence (iconic Italian art museum and UNESCO World Heritage site)
• Location: Florence, Italy
• Threat actor: Medusalocker ransomware group (suspected and identified by investigators)
• Attack type: Ransomware with data extortion (dual extortion)
• Ransom demand: €300,000 in cryptocurrency
• Ransom delivery: Direct communication to Gallery Director Simone Verde via personal phone
• Deadline: 72 hours from initial contact (early February 2026)
• Data exfiltration: Months-long unauthorized access before encryption
• Criminal investigation: Italian law enforcement opened case for attempted extortion and unauthorized system access
• Attacker methodology: Professional, planned, methodical, institutional-level capability
• Attack attribution: Methods consistent with organized cybercriminal groups based in former Soviet Union area with global operations
• Public disclosure: April 4, 2026

Attack Timeline:

1. Initial Compromise (date not disclosed): Medusalocker gained unauthorized access to Uffizi Gallery computer systems.

2. Extended Network Reconnaissance (months prior to February 2026): Attackers spent extended time in Gallery systems exploring network structure, identifying valuable data, and maintaining persistence.

3. Data Exfiltration (months prior to February 2026): Accounting data, employee information, art scans, databases, architectural plans, and security documentation were systematically copied to attacker-controlled infrastructure.

4. Ransomware Deployment (February 2026): After completing data exfiltration, ransomware was deployed across Uffizi Gallery systems, encrypting critical files and systems.

5. Ransom Demand (early February 2026): Demand for €300,000 in cryptocurrency was delivered directly to Gallery Director Simone Verde via personal phone with 72-hour payment deadline.

6. Investigation Initiation (February 2026): Italian law enforcement opened criminal investigation for attempted extortion and unauthorized computer system access.

7. Public Disclosure (April 4, 2026): Breach details became public knowledge through Italian news media.

What Was Taken

Confirmed Data Exposure:

• Accounting and financial data
• Employee personal data
• Contact information
• Art scans and imaging
• Databases and institutional records
• Architectural project files
• Security plans and documentation

Data Type Sensitivity Assessment: CRITICAL. Museum institutional data includes:

• Complete financial and accounting records revealing institutional budgeting and operations
• Employee personal information and employment records
• Contact information for staff, affiliates, and business partners
• High-resolution scans and images of artworks in collection
• Architectural and infrastructure documentation
• Security plans, procedures, and system details
• Access control and surveillance documentation
• Conservation data and artwork condition records
• Authentication and provenance records
• Insurance and valuation documentation
• Exhibition and loan records

Strategic Impact: The exposure of Uffizi Gallery data enables:

• Security vulnerability exploitation using architectural and security documentation
• Physical security compromise using security plans and access control details
• Artwork targeting through high-resolution scans and location information
• Identity theft targeting staff and institutional affiliates
• Business continuity disruption through operational knowledge
• Reputational damage to world-renowned cultural institution
• Extortion and blackmail using private institutional information
• Insurance and claims manipulation using valuation data
• Sale of institutional data and artwork information on dark web

Why It Matters

This attack represents a targeted compromise of one of the world's most important art museums and demonstrates the vulnerability of high-profile cultural institutions to sophisticated ransomware and extortion operations.

Strategic Significance:

1. World-Renowned Cultural Institution: The Uffizi Gallery is one of the most prestigious art museums globally, containing priceless artworks and cultural heritage. The compromise of a UNESCO World Heritage site demonstrates the vulnerability of irreplaceable cultural assets.

2. Medusalocker Operational Focus: The attack demonstrates Medusalocker's continued targeting of high-value institutional victims across sectors (public infrastructure, healthcare, services, industry) and capability to execute sophisticated multi-month intrusions.

3. Professional Attack Sophistication: Investigators noted the professional and methodical nature of the attack, indicating organized cybercriminal group capabilities and extended planning for high-value targets.

4. Extended Dwell Time: The attackers' ability to remain in Uffizi Gallery systems for months without detection indicates significant gaps in threat detection and monitoring for a major institutional victim.

5. Dual Extortion Model: The combination of ransomware encryption with data exfiltration and extortion threat demonstrates the evolution of ransomware operations to maximize pressure and ransom payment incentives.

6. High Ransom Demand: The €300,000 ransom demand indicates attackers' assessment of the Gallery's ability and willingness to pay based on institutional significance and recovery urgency.

7. International Cybercriminal Operations: The attack reflects the capabilities of organized international cybercriminal groups operating across borders and targeting victims globally regardless of sector or prominence.

The Attack Technique

Confirmed Attack Methods:

1. Extended Network Persistence: Attackers maintained unauthorized access to Uffizi Gallery systems for months without detection.

2. Systematic Data Exfiltration: Attackers methodically identified, accessed, and copied multiple data categories including financial records, employee data, artwork documentation, and security plans.

3. Dual Extortion Tactic: Attackers deployed both ransomware encryption (operational extortion) and data exfiltration threat (information extortion) to maximize pressure for ransom payment.

4. Direct Ransom Communication: Ransom demand was delivered directly to Gallery Director via personal phone communication, bypassing email systems and creating urgency.

5. Professional Threat Narrative: Attackers provided detailed message claiming professional expertise, listing specific stolen data categories, and demonstrating institutional knowledge to establish credibility of threat.

What Organizations Should Do

For Museums & Cultural Institutions:

1. Immediate Incident Response & Forensic Investigation — Conduct complete forensic analysis of compromised systems; determine initial access vector; identify all data exfiltrated; assess whether attackers maintain persistence post-encryption; preserve evidence for law enforcement investigation.

2. Stakeholder Notification & Legal Response — Notify all affected employees, partners, and relevant authorities of the breach; coordinate with Italian law enforcement and cybersecurity authorities; consult legal counsel regarding extortion threats and ransom payment implications; preserve all attacker communications as evidence.

3. Artifact & Collection Security Assessment — Assess whether security plans or architectural documentation exposed could enable physical theft targeting; implement enhanced physical security for high-value collections; coordinate with insurance providers; notify heritage preservation authorities.

4. Data Security & Access Control Hardening — Implement multi-factor authentication for all system access; segment institutional networks to isolate sensitive data; deploy endpoint detection and response; implement continuous monitoring and alerting for unauthorized access attempts.

5. Ransomware Recovery & System Restoration — Develop recovery strategy from clean, offline backups; test backup recovery procedures; restore systems from known-clean backup points; implement immutable backup procedures; avoid ransom payment if possible.

6. Third-Party Vendor Security & Supply Chain Assessment — Audit all vendors with access to institutional systems; implement mandatory security certifications; establish vendor incident response procedures; consider supply chain security improvements.

For Italian Government & Cultural Heritage Authorities:

• Coordinate national response to Medusalocker targeting cultural institutions
• Issue guidance to all museums regarding ransomware and data protection
• Establish information sharing protocols for ransomware attacks
• Consider cultural heritage-specific cybersecurity requirements
• Coordinate with law enforcement on ransomware group investigation

For International Museums & Cultural Institutions:

• Monitor Medusalocker activity targeting cultural sector
• Implement threat intelligence monitoring for cultural institution targeting
• Conduct security assessments of collections and access control systems
• Establish sector-wide threat intelligence sharing
• Consider enhanced security for high-value and irreplaceable collections

Sources: Uffizi, la richiesta di riscatto egli hacker: «Dateci 300 mila euro, da pagare in criptovalute». Sospetti sul gruppo Medusalocker | Corriere.it