SUMMON Ransomware

The SUMMON Ransomware is a file-locking Trojan that keeps the user's digital media, such as documents, from opening. The SUMMON Ransomware is a likely update of the LANDSLIDE Ransomware, a Russia-based threat with no free decryption solution. While most users can remove the SUMMON Ransomware with appropriate security products, they also should have backups for protecting their files against its non-consensual data encryption.

Conjuring Up Attacks from the Bones of Old Trojans

File-locking Trojans that act independently of Ransomware-as-a-Services provide crime opportunities for threat actors without giving up a portion of the ransom – a not-insignificant advantage. Although whipping one up from scratch is possible, many threat actors prefer basing their software off previous examples or even slightly-updating an old program. Such seems the case with the new SUMMON Ransomware campaign, a Russian file-locker Trojan.

Many aspects of the SUMMON Ransomware's payload are paint-by-numbers, including the encryption that blocks its victim's documents, pictures and other files. The Trojan is compatible with Windows environments only and marks the files it locks by prepending some of its ransom information to their names and appending the 'SUMMON' extension. This attack stops most valuable files from opening and places the victim's data in a 'hostage' situation.

The SUMMON Ransomware profits from the above by generating an HTA-formatted pop-up window with its ransoming information, which sells the user the attacker's custom unlocking solution. Of significance is that malware experts find that the SUMMON Ransomware's message is an almost direct copy of the LANDSLIDE Ransomware instructions, excepting changes to addresses and branding. That the SUMMON Ransomware campaign still references Russian currency also highly suggests a target demographic, even if Windows users anywhere are vulnerable.

Banishing Trojans Back to Whence They Came

Countermeasures for the SUMMON Ransomware infections require no unusual steps. Like other file-locking Trojans, the SUMMON Ransomware endangers files with usually-unbreakable encryption, and malware experts recommend saving backups to other devices for restoring. Backups should use either disconnected storage or additional security, such as passwords, for optimal protection from these threats. The Restore Points usually will experience deletion at roughly the same time as the encryption routine proceeds in the background.

Although the SUMMON Ransomware campaign is somewhat newer than that of the LANDSLIDE Ransomware, malware analysts can find no samples related to infection exploits or tactics. Attackers may break into poorly-protected servers through public vulnerabilities or brute-forcing passwords, both of which are preventable with the appropriate security precautions. Users also can infect their devices by opening disguised e-mail attachments or downloading illicit torrents (pertinent to the Russian Web particularly).

Nearly all professional cyber-security suites will flag and remove the SUMMON Ransomware before it begins attacking any files. Users should note that removing the Trojan on already-infected systems doesn't unlock the files.

Coming to the threat landscape roughly a month after its ancestor, the SUMMON Ransomware is more Russia-oriented encryption for a demographic that, once, wasn't a promising target for hackers. Times and tactics may change, but motives don't; for Trojans like the SUMMON Ransomware, it's still all about the Bitcoins.