Cert.lv: Hacker behind LVM attack sought attention, not profit

The hacker who carried out the cyberattack on AS "Latvijas valsts meži" (LVM) was more interested in drawing attention to themselves than in making money, according to Baiba Kaškina, head of the cyber incident response institution Cert.lv, in an interview with Latvian Television's morning program "Rīta panorāma".

She emphasized that what matters most for LVM is that backup copies exist and were not destroyed, contrary to some claims. These backups allow for system recovery, and most services have already been restored. Kaškina acknowledged that large amounts of data have been leaked, but work is ongoing to determine exactly what data was compromised.

She explained that the same individual or group has been carrying out such attacks for over a year, totaling more than 200 attacks in various countries. The method of breaching systems is always carefully documented, and leaked data is published. There have been cases where victims contacted the attacker and possibly paid, but the data was still leaked.

As reported, the hacker behind the LVM attack expects more than 600,000 euros for decrypting the data. Cybersecurity expert Elvijs Strazdiņš noted on his YouTube channel that the hacker is demanding 0.1% of LVM's total revenue, which in 2025 was 618.6 million euros, translating to approximately 618,600 euros. Strazdiņš pointed out that legally this does not constitute blackmail, as the hacker did not directly contact LVM.

LVM previously told LETA that the company will under no circumstances pay any ransom. All files are backed up. LVM has reported the incident to the State Police, which has initiated criminal proceedings.

Responsibility for the attack was claimed by a foreign financially motivated ransomware group that has carried out similar operations against companies and government institutions in other countries. LVM's IT team is gradually restoring internal IT systems to ensure business continuity.