Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1810+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Latvian State Forests Still Restoring Systems Weeks After Ransomware Attack
Latvian State Forests Still Restoring Systems Weeks After Ransomware Attack
NEWS

Latvian State Forests Still Restoring Systems Weeks After Ransomware Attack

Latvia's state-owned forest management company LVM remains in recovery mode weeks after a ransomware attack that went undetected for nearly two weeks, exfiltrated 44 GB of data, and demanded over €600,000 in ransom — triggering a national cybersecurity debate.

Dylan H.

News Desk

July 9, 2026
5 min read

Overview

Latvijas Valsts mezi (LVM), Latvia's state-owned forest management company, is still working to restore IT systems more than two weeks after a ransomware attack first detected on June 25, 2026. The attacker gained initial access around June 11 and remained undetected for nearly two weeks before launching active malicious operations during the night of June 22–23.

The attack exfiltrated 44 GB of sensitive data, demanded over €600,000 in ransom (0.1% of LVM's annual revenue), and took down external-facing services including the LVM GEO mapping platform and the Mednis hunting app. LVM has stated it will not pay the ransom.

The incident has since expanded into a national cybersecurity crisis, with the same threat actor subsequently attacking Olpha, a Latvian pharmaceutical manufacturer, and CERT.LV confirming the group is actively probing additional Latvian public and private sector targets.

Incident Timeline

DateEvent
~June 11, 2026Attacker gains initial access to LVM systems
June 11–2213-day undetected dwell period
June 22–23 (overnight)Active malicious operations begin (encryption, exfiltration)
June 25, 2026Attack publicly confirmed by LVM
Late June 2026Hacker boasts on criminal forums; leaks 44 GB of data
Early July 2026Same group attacks Olpha pharmaceutical company
July 9, 2026LVM still restoring systems; national debate ongoing

What Was Compromised

The attacker exfiltrated and publicly leaked 44 GB of LVM data, including:

  • Internal documents and email correspondence
  • Source code repositories
  • Certificates and cryptographic keys
  • User passwords and password hashes

External-facing systems taken offline included:

  • LVM GEO — the company's mapping and geospatial service
  • Mednis — a hunting app built on LVM data
  • Internal information exchange systems serving clients and service providers

The 13-Day Dwell Problem

One of the most damaging aspects of this incident is not the ransomware itself, but the 13-day window during which the attacker operated undetected. This was attributed to a lack of anomaly-detection tooling — a gap that allowed the attacker to map the environment, escalate privileges, and exfiltrate data before triggering any alerts.

Prime Minister Andris Kulbergs publicly called the failure to detect the intrusion "unacceptable." The extended dwell time significantly complicated recovery: the longer an attacker is present before encryption, the more thoroughly they can understand and disrupt backup systems, spread laterally, and maximize the damage of the eventual encryption event.

Ransom Demand and LVM's Response

The attacker demanded 0.1% of LVM's annual revenue — exceeding €600,000 in exchange for decryption. LVM has stated clearly that it will not cooperate with the attacker or pay the ransom, consistent with the general guidance from CERT.LV and international law enforcement agencies that paying ransoms funds further criminal operations without guaranteeing data recovery.

National Implications

LVM's breach has implications well beyond the company itself:

Election System Proximity

LVM is one of three companies involved in developing Latvia's Saeima (parliamentary) election system. Authorities confirmed that election infrastructure was maintained on separate, isolated systems and was not compromised — but the proximity raised significant concern among government officials about supply-chain risk to critical democratic infrastructure.

National Coordination Gap

The incident exposed a critical gap: Latvia has no single designated coordinator for large-scale cyberattacks. The government is now considering assigning that role to the Crisis Management Center, with legislative or regulatory action potentially to follow.

Cybersecurity Law Compliance Failures

Questions have been raised about why LVM — operating infrastructure that touches election systems and managing sensitive state forestry data — had not met requirements under Latvia's National Cybersecurity Law. Audits appear to have missed the gaps that allowed this breach.

Expanding Threat Campaign

CERT.LV confirmed the attacking group subsequently hit Olpha, a Latvian pharmaceutical manufacturer, and is "actively probing" other organizations. This suggests a targeted campaign against Latvian critical infrastructure rather than an opportunistic single attack.

Attribution

CERT.LV described the attacker as a foreign, financially motivated ransomware group. The specific group name has not been officially released. The attacker openly boasted about the breach on criminal hacker forums shortly after execution — suggesting either confidence in their operational security or deliberate use of the breach for reputational gain within the cybercriminal ecosystem.

Lessons for Critical Infrastructure Operators

This incident illustrates several failure modes common to critical infrastructure ransomware incidents:

  1. Detection lag is as damaging as encryption — a 13-day dwell time gave the attacker everything they needed. Anomaly detection, network segmentation monitoring, and behavioral analytics are not optional.

  2. Privileged data requires proportionate protection — cryptographic keys, password hashes, and source code should not be accessible from systems with general network connectivity.

  3. State-adjacent organizations carry national risk — companies that touch election systems, government data, or critical services should be held to government-level security standards, not corporate ones.

  4. Incident response requires a national coordinator — the absence of a clear lead agency for large-scale cyber incidents in Latvia meant the response was fragmented. A designated coordinator with clear authority is a prerequisite for effective response.

  5. Compliance audits must find real gaps — LVM reportedly did not meet requirements under Latvia's cybersecurity law, yet audits missed this. Compliance and security are not the same thing, but compliance frameworks should at minimum catch the most glaring gaps.

References

  • LSM — Cyberattack on Latvian State Forests Detected
  • LSM — Same Hacker Also Attacked Olpha
  • Baltic Focus — Attack No Longer Just a Company Incident
  • BNN News — Attack Highlights National Cybersecurity Risks
  • Fordaq — LVM Works to Restore IT Systems
#Ransomware#Latvia#Critical Infrastructure#Data Breach#Incident Response

Related Articles

UK Fines Water Supplier $1.3M for Exposing Data of 664K

The UK's Information Commissioner's Office has fined South Staffordshire Water Plc and its parent company £963,900 ($1.3 million) after a cyberattack...

6 min read

West Pharmaceutical Services Hit by Disruptive Ransomware

West Pharmaceutical Services, a global manufacturer of drug delivery systems and packaging, has taken systems offline worldwide after hackers exfiltrated...

5 min read

UK Water Utility Fined £963,900 After Cl0p Lurked

The UK's Information Commissioner's Office fined South Staffordshire Water nearly £1 million after the Cl0p ransomware group maintained undetected access...

4 min read
Back to all News