LunaLock Ransomware Targets Artists to Encrypt and Steal Their Data

Security researchers first observed LunaLock in early September 2025, identifying it as a sophisticated ransomware strain specifically targeting independent illustrators and digital artists. The group behind LunaLock employs compromised credentials and social engineering tactics to focus on a niche marketplace—Artists & Clients—where freelance creators exchange custom commissions. The initial intrusion typically involves spear-phishing campaigns disguised as royalty notifications, which entice victims to download trojanized ‘invoice’ attachments. Once executed, the payload establishes a foothold within the victim’s system, conducting reconnaissance of art assets and client databases while preparing for rapid encryption. Analysts from VenariX detected LunaLock’s multi-stage deployment by correlating unusual outbound HTTP requests from artist workstations with the timing of mass file encryption. Their telemetry revealed that the malware extracts user tokens from Microsoft Teams and Slack clients, enabling lateral movement across shared design repositories and project management platforms.

The impact of LunaLock extends beyond mere data encryption, as stolen artwork is exfiltrated to a remote command-and-control server before victims receive decryption keys, creating dual leverage for the attackers. Publicly disclosed samples indicate a modular architecture featuring plugins for network propagation, credential theft, and evasion of endpoint detection systems. A notable innovation within LunaLock is the integration of a minified JavaScript module that disables Windows Defender real-time scanning processes by injecting itself into the Service Control Manager. A deep dive into LunaLock’s infection mechanism reveals a custom loader that dynamically resolves Win32 API calls to evade static analysis. Upon execution, the loader parses its own PE header to locate the Import Address Table and reconstruct API names using an XOR-based obfuscation key. Following this resolution, LunaLock establishes persistence by creating a hidden Scheduled Task named “SysUpdate,” ensuring execution at every reboot. 

Categories: Ransomware Attacks, Cybersecurity Threats, Digital Art Security 

Tags: LunaLock, Ransomware, Artists, Clients, Spear-Phishing, Encryption, Credential Theft, Malware, Exfiltration, Persistence