Full Report
Matthew Gault reports: An old school ransomware attack has a new twist: threatening to feed data to AI companies so it’ll be added to LLM datasets. Artists&Clients is a website that connects independent artists with interested clients. Around August 30, a message appeared on Artists&Clients attributed to the ransomware group LunaLock. “We have breached the... Source
Analysis Summary
# Incident Report: LunaLock Ransomware Attack on Artists&Clients Targeting AI Data Submission
## Executive Summary
The independent artist connection website, Artists&Clients, suffered a ransomware attack attributed to the LunaLock group around August 30, 2025. The attackers encrypted and stole all data, demanding a $50,000 ransom. The unique threat involved submitting the stolen artwork and user data to AI companies to be included in training datasets if payment was not met, prompting the site to go offline during the incident.
## Incident Details
- **Discovery Date:** Information surfaced around August 30, 2025, when a message appeared on the site.
- **Incident Date:** Approximately August 30, 2025.
- **Affected Organization:** Artists&Clients (a website connecting independent artists with clients).
- **Sector:** Online Services / Creative Marketplace.
- **Geography:** Not explicitly disclosed for the company, but the reporting is international.
## Timeline of Events
### Initial Access
- **Date/Time:** Around August 30, 2025.
- **Vector:** Identified as an "old school ransomware attack." Specific initial vector (e.g., RDP, phishing) is not detailed.
- **Details:** The LunaLock group breached the website.
### Lateral Movement
- Details on lateral movement within the network are **not provided** in the source material.
### Data Exfiltration/Impact
- **What was stolen or damaged:** All website data, including source code and personal data of users (artists and clients), was encrypted and stolen.
- **Threat:** The primary impact threat was public release of data *and* submission of all artwork to AI companies for inclusion in training datasets.
### Detection & Response
- **How it was discovered:** The threat was publicized via a message posted on the Artists&Clients website attributed to LunaLock.
- **Response actions taken:** The website went offline on Tuesday (following the Aug 30 announcement/discovery).
## Attack Methodology
- **Initial Access:** Ransomware deployment (specific initial mechanism unknown).
- **Persistence:** Not detailed, implied by their ability to encrypt data.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Not detailed.
- **Discovery:** Not detailed, but source code and user data were accessed.
- **Lateral Movement:** Not detailed.
- **Collection:** Stole all data, including source code and personal data.
- **Exfiltration:** Data was stolen prior to encryption.
- **Impact:** Data encryption and extortion based on data exposure and unique data poisoning threat (AI dataset submission).
## Impact Assessment
- **Financial:** Ransom demand was $50,000. Costs associated with site downtime and recovery are unknown.
- **Data Breach:** Stolen data included source code and personal data of users (artists and clients).
- **Operational:** The website went offline on Tuesday following the attack announcement.
- **Reputational:** Significant potential damage due to the public extortion and unique threat to compromise creative work via AI training sets.
## Indicators of Compromise
- **Network indicators - defanged:** None provided.
- **File indicators:** None provided, though encryption of files occurred.
- **Behavioral indicators:** Ransomware group identified as "LunaLock."
## Response Actions
- **Containment measures:** The website was taken offline shortly after the threat became public.
- **Eradication steps:** Not detailed.
- **Recovery actions:** The attackers promised decryption keys upon payment. The actions taken by the organization are unknown beyond taking the site down. Payments were not confirmed.
## Lessons Learned
- **Key takeaways:** Traditional ransomware tactics (encryption and public release) are being augmented with novel threats specifically targeting data usage (e.g., feeding data to AI models).
- **What could have been done better:** The initial means of access were likely preventable, suggesting potential gaps in perimeter defense or patch management leading to the deployment of "old school ransomware."
## Recommendations
- Implement robust, layered security controls to prevent ransomware deployment.
- Review data handling and storage policies, especially regarding intellectual property (artwork) that could be weaponized in novel ways (like AI data poisoning).
- Ensure comprehensive, segmented backups are maintained offline to avoid encryption being effective.