Cybersecurity

LunaLock, a newly identified ransomware strain, has initiated a targeted campaign against independent artists and their clients. This ransomware demands a substantial ransom for the return of stolen creative works and leaked personal data.

Since its emergence in early September 2025, the LunaLock group has claimed responsibility for breaching Artists & Clients, a prominent digital marketplace connecting illustrators with clients seeking custom artwork.

Reports indicate that LunaLock operators exploited a critical vulnerability in Artists & Clients’ remote desktop service, resulting in widespread connection timeouts and host errors on September 6, 2025. Users attempting to access the platform encountered a “Connection timed out” message, revealing a “Host Error” indicating the breach was within the application itself. Subsequently, a ransom notice appeared on the site’s login page.

The countdown clock on the ransom notice displayed 4 days, 8 hours, 11 minutes, and 6 seconds, emphasizing the urgency of the threat.

The group further threatened that failure to pay the ransom would result in all artwork being submitted to AI training datasets sold to major technology companies.

Impact on Independent Artists

LunaLock’s focus on a niche community distinguishes this campaign from broader ransomware attacks.

By targeting a platform dedicated to art commissions, the attackers aim to extract high-value intellectual property, including unfinished illustrations, client briefs, contract details, and banking information. The leak of such data not only jeopardizes artists’ livelihoods but also exposes clients’ personal and financial privacy.

Several illustrators reported losing access to their portfolios, commission archives, and chat histories with clients. One freelance concept artist described the attack as a breach of trust, with months of confidential sketches and references now held hostage.

Security researchers at VenariX, a cyber threat intelligence startup, are analyzing LunaLock’s code and messaging patterns. The ransom notes resemble those of high-profile ransomware families but feature unique branding with lunar imagery, suggesting an effort to establish a recognizable extortion franchise.

VenariX analysts advise affected organizations not to engage directly with attackers or negotiate through unverified channels. Instead, they recommend immediate containment by isolating infected servers, preserving logs for forensic analysis, and consulting incident response firms specializing in the creative and media sectors.

Mitigations

LunaLock’s operators utilize cryptocurrency mixers to obfuscate transactions, complicating efforts to trace payments.

In response to the breach, Artists & Clients temporarily suspended its service to implement emergency patches and conduct a thorough security audit. The platform’s leadership issued a public apology and pledged to reimburse hosting costs for commission holds while offering free subscription extensions to regain user confidence.

Independent cybersecurity volunteers have mobilized online, using the hashtag #LunaLock to share mitigation tips:

• Backup Practices: Store critical files in offline or immutable backup systems to prevent encryption from ransomware.
• Network Segmentation: Limit lateral movement by isolating production databases and code repositories behind hardened firewalls.
• Multi-Factor Authentication: Enforce MFA on all administrative and account-level logins to reduce the risk of credential theft.

Artists and clients are encouraged to review any unusual account activity and change passwords immediately. Those seeking proactive threat alerts can sign up for free on VenariX’s platform.

As ransomware groups increasingly target creative industries, the LunaLock incident highlights a concerning trend where attackers view independent creators as lucrative targets.

Vigilance, robust security hygiene, and community collaboration remain critical defenses against this emerging threat. Artists & Clients’ prompt response may help mitigate the damage, but the broader ecosystem must prepare for future incursions as ransomware tactics evolve.