Latvijas Valsts Meži (LVM), the state-owned company that manages most of Latvia’s public forests, is still rebuilding its IT environment weeks after a ransomware attack that encrypted core systems, disrupted operations across the forestry sector, and spilled roughly 44 gigabytes of internal data onto the internet — including source code, cryptographic keys, and user passwords.

The root cause, confirmed by investigators, is painfully familiar: the attackers walked in through a system that had gone unpatched for two years.

Eleven Days of Silence, Then Detonation

LVM detected the attack on June 22, but forensic work by Latvia’s national CERT (CERT.LV) established that the intruder had gained access as early as June 11 — eleven days of undetected presence spent mapping the network and staging data for theft. Active operations, including encryption, began during the night of June 22–23.

The company is no minor victim. LVM is one of Latvia’s most profitable state-owned enterprises: it manages the majority of the country’s state forest land, harvests and sells timber, maintains public recreation sites, and provides geographic information and mapping services used across the country. The attack knocked out mapping, hunting-permit, contractor, and customer-facing systems — turning a ransomware incident into a national supply-chain disruption for the forestry industry. Latvia’s economics minister publicly framed the incident as a warning about national cybersecurity risk in state-owned enterprises.

What Leaked

When LVM declined to pay, the attackers published approximately 44GB of stolen material. According to CERT.LV, the leak mainly consists of:

  • Internal documents and email correspondence with attachments
  • The source code repository for LVM’s business IT projects
  • Certificates and cryptographic keys for various systems
  • User passwords and password hashes

Investigators believe the attackers accessed significantly more data than they published — meaning the 44GB should be read as a sample, not an inventory.

The leaked keys and credentials are the most operationally dangerous items on that list. Every certificate, API key, and password touched by the intruders has to be treated as burned, which is a large part of why restoration has stretched into weeks: LVM isn’t just restoring backups, it’s rebuilding trust in its entire identity and secrets layer.

A €600,000 Invoice, Calculated by Revenue

The ransom demand carried an unusual flourish: the attackers asked for 0.1% of LVM’s annual revenue — working out to more than €600,000 — in exchange for decryption. Percentage-of-revenue pricing has become a signature of mature ransomware operations, which research victims’ financials before setting a figure designed to look “reasonable” to the board.

CERT.LV attributes the intrusion to a foreign, financially motivated ransomware group with a track record of hitting companies and public institutions across NATO and EU countries. Investigators have not publicly named the gang, but they have connected the same actor to an attack on Olpha, a Latvian pharmaceutical company — indicating a deliberate campaign against Latvian targets rather than a single opportunistic hit.

The Two-Year Patch Gap

Strip away the geopolitics and the lesson is brutally simple. A profitable, strategically important state enterprise was breached through a known vulnerability in a system that sat unpatched for two years.

That gap is not a technology failure — scanners find these systems trivially, which is exactly how the attackers did. It is a governance failure: no asset inventory that flagged the system, no patch SLA that escalated it, no compensating control that isolated it. For every organization reading about LVM from a distance, the actionable question is not “which gang was it?” but “what is our oldest unpatched internet-reachable system, and who owns that number?”

The eleven-day dwell time compounds the point. Detection did not happen during initial access, lateral movement, or staging — only when encryption made the intrusion impossible to miss. Organizations that cannot detect an intruder in under a week are structurally choosing to find out about breaches from the ransom note.

Sources