Latvian Forestry Firm LVM Recovers from Weeks-Long Ransomware Attack
Latvijas Valsts Mezi (LVM), a major Latvian state-owned forestry company, is still grappling with IT system restoration weeks after a significant ransomware attack disrupted operations and customer services.

Latvijas Valsts Mezi (LVM), Latvia's state-owned forestry giant, continues its extensive recovery efforts following a ransomware attack that began in late June. The incident significantly impacted internal operations and customer-facing services, including the company's mapping platform, hunting application, and systems used for contractor and customer data exchange. Weeks after the initial compromise, approximately two-thirds of customers with service contracts still lack access to the affected systems, highlighting the depth of the disruption.
Maris Kuzmins, LVM's chief technology officer, stated that while the immediate crisis has stabilized, returning all operations to normal remains a "quite challenging" endeavor. The attackers reportedly exploited a vulnerability in a system that had been unpatched for two years, though the specific software involved has not been publicly identified. Notably, LVM has maintained that it has not received a ransom demand and would refuse to pay even if one were issued, underscoring a commitment to not negotiating with cybercriminals.
LVM, one of Latvia's most profitable state-owned enterprises, manages a substantial portion of the country's state forests, engaging in timber harvesting and sales, maintaining public recreation areas, and providing geographic information and mapping services. The attack's broad impact on these critical functions underscores the company's importance to the national economy and infrastructure.
Latvia's national computer emergency response team, CERT.LV, has attributed the intrusion to a foreign, financially motivated ransomware group. This group has a history of targeting organizations within NATO and European Union member states, though its specific identity remains undisclosed. CERT.LV's investigation revealed that the attackers had likely been present in LVM's network for over a week before detection, allowing them ample time to explore and exfiltrate data.
The threat actors managed to leak approximately 44 gigabytes of stolen data online, including internal documents, email correspondence, software code repositories, digital certificates, cryptographic keys, and user credentials. Investigators believe the actual volume of accessed information was considerably larger than what was ultimately published, suggesting a significant data breach.
Adding a layer of concern, LVM's involvement in developing functionality for Latvia's electronic voter registration system prompted immediate scrutiny. However, Latvian authorities have confirmed that the election infrastructure was not compromised. The software was developed in a separate, isolated environment, and its code was never stored in LVM's corporate repositories. CERT.LV thoroughly reviewed all software deliveries for the project and found no evidence of malicious code or unauthorized access, deeming the election system secure.
CERT.LV also linked the same threat actor to a separate incident involving a server belonging to Latvian pharmaceutical company Olpha (formerly Olainfarm). While the Olpha breach has been contained with limited damage, authorities stressed that the two incidents were technically unrelated. The group, however, is reportedly continuing its activities within Latvian cyberspace, actively seeking new vulnerabilities in both public and private sector organizations.
This incident serves as a stark reminder of the persistent threat posed by financially motivated ransomware groups and the critical importance of maintaining up-to-date security measures, especially for systems managing sensitive operational and customer data. The ongoing nature of the threat actor's activities also highlights the need for continuous vigilance and proactive threat hunting across critical infrastructure.