Latvia’s State Forestry Company Hit by Prolonged Ransomware Attack
Latvia’s state-owned forestry company, Latvijas Valsts Meži (LVM), is still recovering from a ransomware attack that disrupted its IT systems for weeks. The incident, first disclosed in late June, took key services including a mapping platform, hunting application, and contractor communication systems offline.
Authorities revealed that attackers had likely been inside LVM’s network for over a week before detection. LVM’s CTO, Maris Kuzmins, stated that while the situation has stabilized, full restoration remains challenging, with two-thirds of contracted customers still unable to access affected systems. The breach exploited an unpatched vulnerability in a system that had not been updated for two years, though the specific software was not disclosed. LVM confirmed it received no ransom demand and would refuse to pay if contacted.
As one of Latvia’s most profitable state-owned enterprises, LVM manages forests, timber sales, public recreation sites, and geographic mapping services. The attack, attributed by Latvia’s CERT.LV to a financially motivated foreign ransomware group with a history of targeting NATO and EU entities, resulted in the leak of 44GB of stolen data. Exposed files included internal documents, emails, software code, digital certificates, cryptographic keys, and user credentials though investigators believe the attackers accessed far more than they published.
The breach raised concerns due to LVM’s role in developing features for Latvia’s electronic voter registration system. However, authorities confirmed the election infrastructure was unaffected, as the software was built in a separate environment and never stored in LVM’s corporate systems. CERT.LV reviewed all related code deliveries and found no evidence of tampering, deeming the system secure for upcoming parliamentary elections.
The same threat actor also compromised a server at Latvian pharmaceutical company Olpha (formerly Olainfarm), though the breach was contained with no further damage detected. Despite the shared attribution, CERT.LV stated the two incidents were technically unrelated. The group remains active in Latvian cyberspace, actively probing for vulnerabilities in public and private sector networks.
Source: https://therecord.media/latvia-state-owned-foresty-company-lvm-ransomware
Latvijas valsts meži cybersecurity rating report: https://www.rankiteo.com/company/latvijas-valsts-mezi
"id": "LAT1783614703",
"linkid": "latvijas-valsts-mezi",
"type": "Ransomware",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'Two-thirds of contracted '
'customers',
'industry': 'Forestry, Timber sales, Public '
'recreation, Geographic mapping',
'location': 'Latvia',
'name': 'Latvijas Valsts Meži (LVM)',
'type': 'State-owned enterprise'},
{'industry': 'Pharmaceutical',
'location': 'Latvia',
'name': 'Olpha (formerly Olainfarm)',
'type': 'Private company'}],
'attack_vector': 'Unpatched vulnerability',
'data_breach': {'data_exfiltration': '44GB of data leaked',
'personally_identifiable_information': 'User credentials',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Internal documents',
'Emails',
'Software code',
'Digital certificates',
'Cryptographic keys',
'User credentials']},
'date_publicly_disclosed': '2024-06',
'description': 'Latvia’s state-owned forestry company, Latvijas Valsts Meži '
'(LVM), is still recovering from a ransomware attack that '
'disrupted its IT systems for weeks. The incident took key '
'services including a mapping platform, hunting application, '
'and contractor communication systems offline. The breach '
'exploited an unpatched vulnerability in a system that had not '
'been updated for two years. The attack resulted in the leak '
'of 44GB of stolen data, including internal documents, emails, '
'software code, digital certificates, cryptographic keys, and '
'user credentials.',
'impact': {'data_compromised': '44GB of data leaked',
'downtime': 'Weeks',
'identity_theft_risk': 'User credentials exposed',
'operational_impact': 'Disrupted key services, two-thirds of '
'contracted customers still unable to access '
'affected systems',
'systems_affected': ['Mapping platform',
'Hunting application',
'Contractor communication systems']},
'initial_access_broker': {'reconnaissance_period': 'Over a week'},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain',
'post_incident_analysis': {'root_causes': 'Unpatched vulnerability in a '
'system not updated for two years'},
'ransomware': {'data_exfiltration': 'Yes',
'ransom_demanded': 'None received',
'ransom_paid': 'None'},
'references': [{'source': 'CERT.LV'}],
'response': {'remediation_measures': 'Full restoration in progress'},
'threat_actor': 'Financially motivated foreign ransomware group',
'title': 'Latvia’s State Forestry Company Hit by Prolonged Ransomware Attack',
'type': 'Ransomware',
'vulnerability_exploited': 'Unpatched system (not disclosed)'}