top of page

LVM ransomware attack in Latvia: what our neighbours' incident says about your company?

  • 1 day ago
  • 6 min read
LVM latvija

On the night of June 22-23, just before Midsummer, as Latvia was preparing for the long holiday weekend, attackers launched an active assault on one of the country's largest state-owned companies - Latvijas valsts meži (LVM, Latvian State Forests). The result: encrypted data, around 7,000 stolen employee passwords, deleted backups, and systems that stayed down for weeks.


It is common to assume that attackers are more interested in state infrastructure itself than in individual companies. Unfortunately, targets are usually chosen not by size or importance, but by the vulnerabilities that can be found in any organization. In this case, LVM suffered a ransomware attack - a breach in which attackers encrypt a company's data and demand payment to restore access. The LVM case is an almost textbook example of how such attacks unfold in an organization of any size - operations grinding to a halt, accounting frozen, orders lost, and sensitive data leaked.


How did the LVM ransomware attack happen?


LVM ransomware attack timeline

According to publicly available information, events unfolded as follows:


June 11 - the intruder entered LVM's systems through an old, well-known security vulnerability on an internet-facing server. A fix for that vulnerability had been released long ago - it simply had not been installed: according to experts quoted in the Latvian media, the server had not been updated for two years.


June 11-22 - for almost two weeks, the attacker operated quietly inside: scouting the network, collecting credentials, preparing. Nobody noticed.


Night of June 22-23 - the active phase began: data encryption, backup deletion. The timing was no accident - right before one of Latvia's biggest holidays, when offices empty out.


June 25 - the company publicly confirmed the attack. External services (the mapping system LVM GEO, the hunting app Mednis) and some internal systems were taken offline.


Early July - Latvia's national cyber incident response agency CERT.LV announced that the same attacker had also breached a server of the pharmaceutical manufacturer Olpha, and that the group continues to actively scan the infrastructure of Latvian organizations in search of new victims. By then, weeks after the attack, about two thirds of LVM's service clients still had no access to the systems.


Media reports suggested the ransom demand may have exceeded 600,000 euros. The company says it received no ransom demand and would not pay one.


Are you "too small to be attacked"?

A particularly important detail lies in CERT.LV's conclusion: the attack was carried out by a financially motivated international group, and there is no reason to believe it was targeting Latvia specifically, or LVM specifically.


In other words, nobody chose the victim by size or importance. The attackers automatically scanned networks looking for outdated, vulnerable servers or other ways in - and broke in where the door was ajar. LVM ended up in the crosshairs not because it is a strategic state enterprise, but because it had a server that had gone two years without updates, carrying a security hole the attackers knew well. The Olpha case confirms this: forestry and pharmaceuticals have nothing in common - except a vulnerable server.


Three lessons that apply to every company


1. A security vulnerability is an open door for attackers


The ransomware attack LVM suffered was enabled not by a brilliant criminal programmer, but by software left without updates for two years. This is one of the most common cyber incident scenarios: the vulnerability long known, the fix long released, just never installed.


Security gaps in your organization need to be found before the attackers find them

The question for a manager here is simple: who in your company is responsible for keeping all internet-facing systems updated? Not "IT gets to it eventually", but a specific person, a specific process, a regular check. Regular vulnerability scanning is one of the core activities of a SOC (security operations center) for exactly this reason: gaps must be found before the attackers find them.


2. The difference between protection and monitoring


About eleven days passed between the break-in and the active attack. All that time, a stranger was walking through the company's network, collecting passwords and preparing the strike - and nobody noticed.


This is worth pausing on, because it is the most important lesson. Those eleven days were the window during which the incident could still have been stopped without major damage: an unusual login spotted, strange activity on a server, unusual data movement. At every step, the attacker left traces in the event logs - the automatic system "diaries" that record who connected, when, and from where. But logs do not read themselves - someone has to be watching.


That is exactly the difference between protection and monitoring. A firewall and antivirus are locks and fences - they did not stop this attack, because the intruder walked in through an unlocked door. What was missing was continuous monitoring that would have noticed a stranger inside. We covered this in more detail in our post explaining what a SOC is - and the LVM case is a precise illustration of that text, only, sadly, a real one.


SOC steps
With an active SOC monitoring, the intruders in LVM systems could have been detected within hours of suspicious activity

Note the timing as well: the active phase began on the night before a holiday. That is no coincidence but standard tactics - the US agencies FBI and CISA issued a dedicated warning about it back in 2021. Attackers strike when nobody is watching. Monitoring that only works during business hours protects you only from polite intruders.


3. The backups existed - and were deleted


LVM had backups. The attackers deleted them before encrypting the data - because modern ransomware attacks always go after the backups first. Encrypting data while the victim holds working copies is pointless: nobody will pay the ransom.


The question "how quickly could you restore your data?" needs an answer drawn from experience, not from hope.

The practical takeaway: if your backups are reachable from the same network with the same credentials, they are not insurance but the illusion of it. At least one copy must be offline or protected so that it cannot be altered or deleted even with administrator access. And just as important - recovery must have been tested.


Atsarginės kopijos

The real cost is not the ransom


When tallying the damage, the 600,000-euro ransom - substantial as it is - is not the biggest problem; LVM says it did not receive and would not pay it. The real cost looks different: systems down for weeks, two thirds of clients cut off from services, thousands of employees resetting passwords, personal data possibly leaked, extra attention from regulators, and headlines in the media.


For a typical company, a breach like this would mean weeks without accounting, without an ordering system, without customer data - and an uncomfortable question from clients: "can I trust you?"


Three questions worth asking this week


Even if the LVM attack feels distant, it is worth taking our neighbours' situation into account and putting concrete questions to your IT team or service provider, to find out whether your company could fall victim to the same scenario:


  1. Do we have internet-facing systems that have not been updated for more than a few months? If nobody knows the answer - that is already the answer.

  2. If a stranger connected to our network today, how long would it take us to notice? In LVM's case the answer was "eleven days later - when the attackers started encrypting the data and access to it was lost".

  3. Would our backups survive an attack designed to destroy them? And have we ever actually tested restoring from them?


These questions matter beyond risk alone: Lithuania's Cybersecurity Law (KSĮ, transposing the EU NIS2 directive) already requires many organizations to have a system update process, the ability to detect incidents, and to report them to the National Cyber Security Centre (NKSC) within 24 hours.


A painful lesson from our neighbours for Lithuanian business


There is nothing in the LVM story that could not happen in Lithuania - according to CERT.LV, the same group remains active in the region and is looking for new targets. The difference between a company that notices such an attack on day one and one that learns about it eleven days later from encrypted files is not technology, but continuous monitoring and clearly defined processes.


If you want to know how your organization would fare in this scenario - from unpatched systems to backup resilience - let's talk. Our SOC service, combined with a cybersecurity strategy built by a CISO, lets you achieve full cybersecurity compliance from a single provider.



 
 

Take the first step

Cybersecurity compliance doesn't happen in a day - contact us and start working towards it

bottom of page