Virtual Round Table · Jul 22

View the event
A Two Year Unpatched Flaw Let Ransomware Into Latvia's State Forests, and 44 GB Walked Out
Cybersecurity

A Two Year Unpatched Flaw Let Ransomware Into Latvia's State Forests, and 44 GB Walked Out

Attackers sat undetected inside Latvijas Valsts Meži for over a week, disrupted mapping and customer systems, and leaked 44 gigabytes of documents, keys and source code.

PublishedJuly 14, 2026
Read time5 min read
Share

A National Asset Goes Dark

Latvijas Valsts Meži, one of Latvia's most profitable state owned companies, spent weeks restoring systems after a ransomware attack that struck at the core of its operations. The company manages most of Latvia's state forests, harvests and sells timber, maintains public recreation sites and provides geographic and mapping services, which makes it both a commercial enterprise and a piece of national infrastructure. The attack was detected on June 22, 2026, and it knocked out the company's mapping platform, its hunting application, and the systems that exchange information with contractors and customers.

The disruption was not brief. As of early July the company was still working through recovery, with chief technology officer Maris Kuzmins saying the situation had stabilized but that returning operations to normal remained quite challenging. The most telling figure was that roughly two thirds of customers with service contracts still lacked access to the affected systems weeks after the intrusion. For an organization that sits at the center of a national timber economy, an outage measured in weeks is not an inconvenience. It is a material hit to a supply chain that many other businesses depend on.

Two Years Without a Patch

The root cause is the part that should sting every technology leader, because it is entirely preventable. Attackers exploited a vulnerability in a system that had not received updates for two years. There was no exotic zero day and no nation state grade tradecraft required at the point of entry. There was simply a reachable system carrying a known, fixable weakness that nobody had closed. In an environment where vendors and researchers publish patches on a regular cadence, a two year gap is not an oversight. It is accumulated risk that was allowed to compound until someone finally exploited it.

The intrusion then played out with the patience that defines modern ransomware. Investigators determined the attacker had gained access as early as June 11 but only began active operations during the night of June 22 into June 23, meaning the intruder sat undetected inside the network for more than a week. That dwell time is where the real damage was done. It gave the attacker room to map the environment, gather credentials and stage data for exfiltration before anyone noticed. Patch debt opened the door, and a lack of detection let the visitor wander the house at leisure.

What Leaked, and What They Kept Back

The attackers ultimately leaked roughly 44 gigabytes of stolen data online, and the contents read like a worst case inventory. The exposed files include internal documents, email correspondence, software code repositories, digital certificates, cryptographic keys and user credentials. That is not just a privacy problem. Leaked certificates and cryptographic keys can undermine the trust that other systems place in the organization, and exposed source code and credentials hand future attackers a map and a set of keys for follow on intrusions long after the initial incident is closed.

Just as important is what the public leak did not reveal. Investigators believe the attackers accessed significantly more information than they ultimately published, which is a common and deliberate tactic. Releasing a fraction of the haul proves capability and applies pressure while holding the rest in reserve as leverage or as inventory for later sale. For any organization on the receiving end, the visible leak is the floor of the exposure, not the ceiling. The prudent assumption is that everything the attacker could reach should be treated as compromised, not only the files that happened to appear online.

No Ransom, and a Familiar Adversary

In an unusual twist, the company said it received no ransom demand, and it stated that it would refuse to pay if one arrived. That stance removes the negotiation theater that usually accompanies these incidents and puts the entire burden on recovery and resilience rather than on a payment decision. It is a defensible position, and arguably the right one, but it also means the organization had to rebuild and restore on its own timeline, which is exactly why the outage stretched across weeks and why so many contract customers were left waiting for access.

The attribution raises the stakes further. Latvia's national computer emergency response team, CERT.LV, tied the intrusion to a foreign, financially motivated ransomware group that has previously targeted companies and public institutions across NATO and European Union countries. Latvian officials framed the attack as a warning about national cybersecurity risk, and authorities were careful to confirm that election infrastructure was not compromised, because that software was developed in a separate environment with no code stored in the company's repositories. That separation is the one design decision here that clearly worked, and it stands in sharp contrast to the two year patch gap that did not.

The Lesson Is Patch Debt

Strip this incident to its essentials and it is a story about maintenance, not about sophistication. A profitable, strategically important organization was brought to a halt for weeks because a single system went two years without an update. Every enterprise carries some version of this risk in the form of legacy systems that are hard to patch, business units that resist downtime, and asset inventories that are incomplete enough that nobody is quite sure what is exposed. The Latvijas Valsts Meži attack is what that risk looks like when it finally comes due, and the bill is paid in outages, leaked keys and lost customer access.

The corrective is unglamorous and well understood, which is what makes the failure so frustrating. Know every internet reachable asset, patch on a defined cadence, and treat a system that cannot be patched as a system that must be isolated or retired. Pair that with detection capable of catching an intruder during the week they spend quietly preparing, rather than only when the encryption starts. Latvia kept its election systems safe through separation, and it should carry that same discipline to the rest of its estate. Patch debt is the most boring vulnerability in security, and it remains one of the most reliably exploited.

Tagged#news#security#ransomware#cybersecurity#breach