Overview
Latvijas Valsts mezi (LVM), Latvia's state-owned forest management company, is still working to restore IT systems more than two weeks after a ransomware attack first detected on June 25, 2026. The attacker gained initial access around June 11 and remained undetected for nearly two weeks before launching active malicious operations during the night of June 22–23.
The attack exfiltrated 44 GB of sensitive data, demanded over €600,000 in ransom (0.1% of LVM's annual revenue), and took down external-facing services including the LVM GEO mapping platform and the Mednis hunting app. LVM has stated it will not pay the ransom.
The incident has since expanded into a national cybersecurity crisis, with the same threat actor subsequently attacking Olpha, a Latvian pharmaceutical manufacturer, and CERT.LV confirming the group is actively probing additional Latvian public and private sector targets.
Incident Timeline
| Date | Event |
|---|---|
| ~June 11, 2026 | Attacker gains initial access to LVM systems |
| June 11–22 | 13-day undetected dwell period |
| June 22–23 (overnight) | Active malicious operations begin (encryption, exfiltration) |
| June 25, 2026 | Attack publicly confirmed by LVM |
| Late June 2026 | Hacker boasts on criminal forums; leaks 44 GB of data |
| Early July 2026 | Same group attacks Olpha pharmaceutical company |
| July 9, 2026 | LVM still restoring systems; national debate ongoing |
What Was Compromised
The attacker exfiltrated and publicly leaked 44 GB of LVM data, including:
- Internal documents and email correspondence
- Source code repositories
- Certificates and cryptographic keys
- User passwords and password hashes
External-facing systems taken offline included:
- LVM GEO — the company's mapping and geospatial service
- Mednis — a hunting app built on LVM data
- Internal information exchange systems serving clients and service providers
The 13-Day Dwell Problem
One of the most damaging aspects of this incident is not the ransomware itself, but the 13-day window during which the attacker operated undetected. This was attributed to a lack of anomaly-detection tooling — a gap that allowed the attacker to map the environment, escalate privileges, and exfiltrate data before triggering any alerts.
Prime Minister Andris Kulbergs publicly called the failure to detect the intrusion "unacceptable." The extended dwell time significantly complicated recovery: the longer an attacker is present before encryption, the more thoroughly they can understand and disrupt backup systems, spread laterally, and maximize the damage of the eventual encryption event.
Ransom Demand and LVM's Response
The attacker demanded 0.1% of LVM's annual revenue — exceeding €600,000 in exchange for decryption. LVM has stated clearly that it will not cooperate with the attacker or pay the ransom, consistent with the general guidance from CERT.LV and international law enforcement agencies that paying ransoms funds further criminal operations without guaranteeing data recovery.
National Implications
LVM's breach has implications well beyond the company itself:
Election System Proximity
LVM is one of three companies involved in developing Latvia's Saeima (parliamentary) election system. Authorities confirmed that election infrastructure was maintained on separate, isolated systems and was not compromised — but the proximity raised significant concern among government officials about supply-chain risk to critical democratic infrastructure.
National Coordination Gap
The incident exposed a critical gap: Latvia has no single designated coordinator for large-scale cyberattacks. The government is now considering assigning that role to the Crisis Management Center, with legislative or regulatory action potentially to follow.
Cybersecurity Law Compliance Failures
Questions have been raised about why LVM — operating infrastructure that touches election systems and managing sensitive state forestry data — had not met requirements under Latvia's National Cybersecurity Law. Audits appear to have missed the gaps that allowed this breach.
Expanding Threat Campaign
CERT.LV confirmed the attacking group subsequently hit Olpha, a Latvian pharmaceutical manufacturer, and is "actively probing" other organizations. This suggests a targeted campaign against Latvian critical infrastructure rather than an opportunistic single attack.
Attribution
CERT.LV described the attacker as a foreign, financially motivated ransomware group. The specific group name has not been officially released. The attacker openly boasted about the breach on criminal hacker forums shortly after execution — suggesting either confidence in their operational security or deliberate use of the breach for reputational gain within the cybercriminal ecosystem.
Lessons for Critical Infrastructure Operators
This incident illustrates several failure modes common to critical infrastructure ransomware incidents:
-
Detection lag is as damaging as encryption — a 13-day dwell time gave the attacker everything they needed. Anomaly detection, network segmentation monitoring, and behavioral analytics are not optional.
-
Privileged data requires proportionate protection — cryptographic keys, password hashes, and source code should not be accessible from systems with general network connectivity.
-
State-adjacent organizations carry national risk — companies that touch election systems, government data, or critical services should be held to government-level security standards, not corporate ones.
-
Incident response requires a national coordinator — the absence of a clear lead agency for large-scale cyber incidents in Latvia meant the response was fragmented. A designated coordinator with clear authority is a prerequisite for effective response.
-
Compliance audits must find real gaps — LVM reportedly did not meet requirements under Latvia's cybersecurity law, yet audits missed this. Compliance and security are not the same thing, but compliance frameworks should at minimum catch the most glaring gaps.