May 26, 2026 Swedish eTrade platform signs an agreement for vulnerability scanning
May 21, 2026 Swedish software producer signs agreement for continuous pentesting
May 20, 2026 Swedish CRM producer signs an agreement for continuous penetration testing
May 16, 2026 eBuilder signs an agreement for SOC/MDR with a TechHub
May 11, 2026 eBuilder signs an agreement for SOC/MDR and automated pentests with a company in the publishing business
May 8, 2026 eBuilder signs a pentest agreement with a leading petrochemical producer
April 8, 2026 eBuilder signs an agreement for MDR/SOC with a hotel business.
March 13, 2026 eBuilder signs an agreement for SOC-operations with a Swedish municipality.
Company News
Ransomware

Latvia’s State-Owned Forestry Giant LVM Still Offline Weeks After Ransomware Attack

Date July 10, 2026 / 4 Min Read

Latvia’s state-owned forestry company LVM was hit by a ransomware attack several weeks ago and many of its internal and customer-facing services remain offline. The attackers gained access by exploiting a vulnerability in an outdated system. LVM has not paid the ransom demand. According to The Record, a foreign, financially motivated group carried out the attack.

LVM is one of Latvia’s largest state-owned enterprises, managing roughly half the country’s forests and running timber operations at significant commercial scale. Taking it offline is not a minor disruption. The company is still in the process of restoring its IT environment and no timeline for full recovery has been published.

An Outdated System Left the Door Open

LVM has confirmed the attackers exploited an outdated system vulnerability. No CVE has been disclosed and the affected product has not been named publicly. That is a significant gap. Without knowing which component was targeted, other organisations in the same sector cannot assess whether they carry the same exposure.

The pattern is familiar and the lesson is unchanged, unpatched legacy systems in operational environments are the entry point of choice for financially motivated ransomware groups. This was not a zero-day. The vulnerability was known. The company had not addressed it.

Attribution Stays at “Financially Motivated” for Now

Latvian authorities and LVM have described the attackers as a foreign, financially motivated group. No ransomware gang has been named publicly and no group has claimed the attack. That level of attribution is appropriate at this stage. Anyone claiming to know exactly who is behind this within days of an incident should be pressed on their evidence.

The financially motivated framing does however narrow the field. State-directed operations against a forestry company carry limited strategic logic. This looks like an opportunistic attack against a large organisation with a legacy IT estate which is precisely the profile these groups target for maximum leverage.

State-Owned Does Not Mean Well-Defended

LVM’s experience reinforces a point that often gets lost in discussions about critical infrastructure security, state ownership does not translate into strong cyber hygiene. Public sector and state-adjacent organisations across the Nordics and Baltics frequently carry technical debt accumulated over decades of underinvestment in IT modernisation. Attackers know this and price it into their target selection.

Sweden’s Sveaskog, the state-owned forestry company managing around 14% of Sweden’s productive forest land, operates a comparable IT-dependent operational model across timber logistics, land management and customer services. There is no indication Sveaskog has been targeted but the LVM attack is a direct prompt to review patch status on any legacy systems sitting in or adjacent to operational infrastructure.

Patching Is the Only Actual Fix Here

The remediation for this attack is not complex. It is just chronically underdone. Maintain a current inventory of every system in your environment including those that predate your current IT team. Map which ones are internet-facing or accessible from external networks. Prioritise patching based on exposure, not age of the vulnerability.

If a system cannot be patched because it runs software that will not support a current OS, isolate it. Put it behind strict network segmentation with no unnecessary external access. Document the risk formally and ensure management has signed off on the decision to leave it in place. That paper trail matters when regulators ask questions and under NIS2 they will.

Offline, tested backups remain the single most effective control for limiting ransomware damage once an attacker is already inside. LVM’s refusal to pay suggests the company had enough backup integrity to attempt recovery. Weeks of downtime is the cost of that decision. It is still the right call.

References

  1. Latvian forestry company still restoring systems weeks after ransomware attack

This post is also available in: Svenska