Security researchers first observed LunaLock in early September 2025, a sophisticated ransomware strain targeting independent illustrators and digital artists.
Leveraging compromised credentials and social engineering, the group behind LunaLock has zeroed in on a niche marketplace—Artists & Clients—where freelance creators exchange custom commissions.
Initial intrusion involved spear-phishing campaigns disguised as royalty notifications, enticing victims to download trojanized ‘invoice’ attachments.
Once executed, the payload establishes a foothold and begins reconnaissance of art assets and client databases, all while preparing for rapid encryption.
VenariX analysts identified LunaLock’s multi-stage deployment after correlating unusual outbound HTTP requests from artist workstations with the timing of mass file encryption.
Their telemetry revealed that the malware extracts user tokens from Microsoft Teams and Slack clients, allowing lateral movement across shared design repositories and project management platforms.
Victims report encrypted source PSD and AI files with a unique “.lunalock” extension appended to filenames, accompanied by a ransom note demanding payment in Monero.
.webp "LunaLock Ransomware Attacking Artists to Steal and Encrypt Data 3")
The ransomware’s impact extends beyond data encryption: stolen artwork is exfiltrated to a remote command-and-control server before victims receive decryption keys, creating dual leverage.
Publicly disclosed samples show a modular architecture featuring plugins for network propagation, credential theft, and evasion of endpoint detection systems.
A notable innovation is the integration of a minified JavaScript module that disables Windows Defender real-time scanning processes by injecting into the Service Control Manager.
Infection Mechanism
A deep dive into LunaLock’s infection mechanism uncovers a custom loader that dynamically resolves Win32 API calls to evade static analysis.
Upon execution, the loader parses its own PE header to locate the IAT and reconstruct API names using an XOR-based obfuscation key. Once the resolve function is in place, the main payload is mapped into memory without ever touching the disk:
// Dynamic API resolution snippet
BYTE obfName[] = {0x5F,0x23,0xA7,0x19}; // XOR key
for (DWORD i = 0; i < nameLen; ++i) {
nameBuf[i] = obfName[i] ^ encName[i];
}
HMODULE hMod = LoadLibraryA("kernel32.dll");
FARPROC pFunc = GetProcAddress(hMod, nameBuf);Following resolution, LunaLock establishes persistence by creating a hidden Scheduled Task named “SysUpdate,” ensuring execution at every reboot.
The loader then signals the C2 server via HTTPS, confirming successful deployment before initiating AES-256 encryption across mapped network drives.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
