Ransomware hits Latvia's state forestry firm through a two year old flaw

A ransomware attack has disrupted Latvijas Valsts Meži, the state owned company that manages Latvia's forests, knocking out systems used for mapping, hunting permits, contractor coordination, and customer service. The attackers say they also stole about 44GB of internal files, and the way in is a familiar one: a system that had been left unpatched for two years.

According to Check Point Research's weekly threat intelligence bulletin, the leaked trove includes internal documents, credentials, cryptographic keys, source code, and email correspondence. Beyond the operational disruption, that mix is dangerous on its own: stolen credentials and keys can hand attackers a route back in or into connected systems, and leaked source code can reveal further weaknesses to exploit.

A preventable break in

The most striking detail is how the attackers got in. Exploiting software that had gone two years without a patch is not a sophisticated feat, it is the result of a gap in basic maintenance. Public sector and state owned bodies are frequent ransomware targets precisely because tight budgets and complex legacy systems let known, fixable flaws linger. IntelFusions recently reported similar pressure on Nordic public institutions when a new crew hit a Norwegian municipality and healthcare firms. Latvia's national cyber posture is tracked on the IntelFusions Latvia country profile.

What you should do

The incident is a blunt reminder that patching internet facing and business critical systems on a predictable schedule remains one of the highest value defenses against ransomware. Organizations should inventory unpatched software, prioritize anything reachable from outside the network, and assume that any credentials or keys stored on a compromised system are already burned and must be rotated. Reliable, tested, offline backups are what turn an attack like this from a catastrophe into a recoverable outage.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions