Safety researchers first noticed LunaLock in early September 2025, a complicated ransomware pressure focusing on unbiased illustrators and digital artists.
Leveraging compromised credentials and social engineering, the group behind LunaLock has zeroed in on a distinct segment market—Artists & Purchasers—the place freelance creators change customized commissions.
Preliminary intrusion concerned spear-phishing campaigns disguised as royalty notifications, engaging victims to obtain trojanized ‘bill’ attachments.
As soon as executed, the payload establishes a foothold and begins reconnaissance of artwork belongings and consumer databases, all whereas making ready for speedy encryption.
VenariX analysts recognized LunaLock’s multi-stage deployment after correlating uncommon outbound HTTP requests from artist workstations with the timing of mass file encryption.
Their telemetry revealed that the malware extracts consumer tokens from Microsoft Groups and Slack purchasers, permitting lateral motion throughout shared design repositories and mission administration platforms.
Victims report encrypted supply PSD and AI information with a novel “.lunalock” extension appended to filenames, accompanied by a ransom word demanding cost in Monero.
Ransom web page (Supply – X)
The ransomware’s influence extends past information encryption: stolen paintings is exfiltrated to a distant command-and-control server earlier than victims obtain decryption keys, creating twin leverage.
Publicly disclosed samples present a modular structure that includes plugins for community propagation, credential theft, and evasion of endpoint detection techniques.
A notable innovation is the combination of a minified JavaScript module that disables Home windows Defender real-time scanning processes by injecting into the Service Management Supervisor.
An infection Mechanism
A deep dive into LunaLock’s an infection mechanism uncovers a customized loader that dynamically resolves Win32 API calls to evade static evaluation.
Upon execution, the loader parses its personal PE header to find the IAT and reconstruct API names utilizing an XOR-based obfuscation key. As soon as the resolve operate is in place, the primary payload is mapped into reminiscence with out ever touching the disk:
// Dynamic API decision snippet
BYTE obfName[] = {0x5F,0x23,0xA7,0x19}; // XOR key
for (DWORD i = 0; i
Following decision, LunaLock establishes persistence by making a hidden Scheduled Job named “SysUpdate,” guaranteeing execution at each reboot.
The loader then indicators the C2 server by way of HTTPS, confirming profitable deployment earlier than initiating AES-256 encryption throughout mapped community drives.
Increase your SOC and assist your staff shield your enterprise with free top-notch risk intelligence: Request TI Lookup Premium Trial.
