Remove Salsa Ransomware Virus And Recover .salsa222 Files

Salsa (Salsa222) is a ransomware virus which encrypts your files and asks for a BitCoin payment in order to restore them. The desktop background is changed to a black image saying “SALSA PERSONAL FILES ENCRYPTED“, files receive a “.salsa222” extension and a ransom note is being constantly opened automatically.

The ransomware operates similarly to other viruses of this kind, however, it stands out due to the number of available languages. Currently it has been translated to 40 different languages and this shows that the ransomware distribution campaign is expected to be wide and aggressive.

Even though the virus creators promise to provide you with a decryption program and key after you pay the ransom there is no guarantee that they will not ignore you afterwards. Following their instructions might also lead to further infections. Therefore, you should remove the threat yourself instead of paying the ransom.

We have a recommended automatic ransomware removal tool which will not only eliminate the threat but will also protect your system from viruses in the future. We also have a manual removal guide for more experienced users but it only removes the threat source.

Unfortunately, currently there is no official decrypter developed for this kind of ransomware. However, we have several alternative file recovery methods listed below which you will be able to use after you completely eliminate the virus.


Recommended Method: Download Salsa222 Ransomware Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is Salsa222 ransomware?

Salsa222 encrypts your files so that opening them without a private decryption key becomes impossible. It then asks for a ransom payment via BitCoin and promises to provide you with the key afterwards. The ransom amount varies and there have been recorded cases of $100 or $150 demanded from infected users.

This ransomware changes file extensions to .salsa222 (hence the name). For example, “sample.docx” becomes “sample.docx.salsa222“. After encryption process finishes, it also changes the desktop wallpaper and starts opening browser windows with ransom notes every 60 seconds.

The ransom notes are located in a folder named “CLICK HERE TO UNLOCK YOUR FILES SALSA222” and are available in 40 different languages. Unlike other similar ransomware, Salsa222 does not have an external payment website and includes all information in a dedicated folder making it accessible offline as well.

The ransom note contains the following text:

READ CAREFULLY IF YOU WANT YOUR FILES BACK!
Your computer has been locked and your files are encrypted. 
A one-time payment is required to restore access. 
PRICE WILL DOUBLE IF PAYMENT IS LATE. FILES WILL BE DELETED FOR FAILURE TO PAY.
Date (PRICE WILL DOUBLE): -
Date (FILES WILL BE DELETED): -
Disable your Anti Virus now! If this program is deleted by your Anti Virus, 
you lose your files forever because it is impossible to decrypt your files!
PRICE: $150 in Bitcoins
We only accept bitcoins! Follow the steps below to decrypt your files:
1. Send exactly 0.124831 [BTC,BITCOINS] to this bitcoin address: 19XrBf6x3XvEVvjNryyeEfyEVmH1bwoCZE
2. After you send the payment, wait a few minutes...your files will be automatically decrypted and repaired. 
Your computer/files will be back to normal.

BitCoin purchase and transfer instructions are also included in the note as well as several links to a decryption tool which is supposed to work with the private key you are promised to receive after making a payment.

Currently there is no information on how this virus is being distributed. Most likely it uses well known methods like email spam, exploit kits and bundling with illegal software. A botnet is probably employed since the campaign seems to be quite noticeable when compared to other recent ransomware.

We strongly recommend removing this virus by yourself instead of paying the ransom. There is no guarantee that the criminals will provide you with a correct decryption key or that they will not leave a backdoor and target you again. Therefore, you should first completely remove the threat and then try alternative file recovery methods.

We have an automatic removal tool which will also act as an antivirus in the future. This is the most reliable and easiest removal option. We also have a manual guide describing how to eliminate this threat. However, it does not guarantee protection in the future.

Screenshots of Salsa ransomware:

    


 Manual Removal Instructions:

NB: Bookmark this page in order to access it after you restart your computer while working on the removal process! You can also print it out or open on another device.

Editing important Windows files and settings can be risky. We recommend using the automatic removal tool for an easier removal process and in order to avoid any damage to your Windows operating system, since Salsa222 is a complicated and dangerous ransomware.

Do not skip any steps as otherwise the threat might come back again and cause more damage.

Step 1:

Find any processes that might be associated with the Salsa ransomware virus and terminate them.

Press CTRL + SHIFT + ESC at the same time to launch Windows Task Manager. You can also launch it by right-clicking on Windows toolbar/startbar and clicking Start Task Manager.

Go to Processes tab.

All currently running processes will be listed.

 

Right-click on each of the suspicious processes you find in the list and choose Open File Location.

Start by scanning these commonly infected processes:

svchost.exe
salsa222.exe

Also look for other randomly named .exe files. If you find such file mark down the name as you will need to search for it in Windows Registry later.

Go to virustotal.com and upload the opened file for a scan.

If the scan shows that the file is dangerous, right-click on the process and choose End Process, then delete that file in the location you have just opened.

Repeat this until you have checked all suspicious processes.

Step 2:

Check your hosts file for any suspicious IPs.

Press and hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

notepad %windir%/system32/Drivers/etc/hosts

Click OK.

Your hosts.ini file will open in Notepad. Delete any IPs that are not marked with an “#” in front of them except the “127.0.0.1 localhost” entry. Here is an example:

Step 3:

Remove suspicious programs from your startup config so they would not launch as soon as you boot your computer.

Hold Windows () key and click R key.

Enter the following in the field:

msconfig.exe

Click OK.

Go to the Startup tab and uncheck all suspicious entries.

The infected or fake startup items usually have “Unknown” listed as Manufacturer. However, sometimes they might pretend to be legitimate programs.

Check process location by hovering your mouse over the “Command” column. Navigate to the location and scan the file using virustotal.com if it looks suspicious but you are not sure.

Click OK when you are finished unselecting all potentially dangerous processes.

Step 4:

Clean up Windows temporary files as there are usually several Salsa ransomware files placed here.

You can safely remove all temporary files without posing any risk to your computer.

Hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

All temporary files will be listed in the directory.

Select all temporary files by simultaneously pressing CTRL + A and delete them permanently by pressing SHIFT + DELETE.

Step 5:

Check for any recent changes in all the other important system files.

Salsa usually makes changes to important system files in order to stay undetected.

Hold Windows () key and click R key.

Enter the following in the field:

%AppData%

Click OK.

Do not delete anything here! Search for any recent changes (by “Date Modified”) in the files first. Only if you see that a file has just been changed scan it with virustotal.com. Remove only files marked as dangerous. Otherwise you might remove critical system files and Windows might stop working.

The virus might copy its files to this directory so you might find randomly named .exe, .dll, .bat, .vbs or other recently placed files.

Repeat this step with the following three directories while being very careful:

%LocalAppData%
%ProgramData%
%WinDir%

Remember that these directories contain many important system files! Be very careful!

Step 6:

Clean up your registry entries.

Hold Windows () key and click R key.

Enter the following in the field:

regedit.exe

Click OK.

All Windows registry entries will open.

Most of them are critical for correct system operation and deleting important entries might result in Windows failing to load. Make sure you are very careful while deleting and editing the entries!

 

Search for the ransomware entries by pressing CTRL + F and entering the file extension name in the search field. For example:

salsa222

Click Find Next.

Repeat search and delete all registry entries associated with the virus.

Then repeat the search with the following text:

SalsaDownload
READ TO UNLOCK FILES

Step 7:

Use Windows File Search (you can access it from Windows Start Menu by simply pressing Windows () button) in order to find the following files and, if found, delete them (some of them might have been already deleted during the earlier steps):

SalsaDownload.exe
Salsa222.exe

You should also delete “SalsaDecryptor.exe” but you can make a backup of it on a separate media.

 Decrypting The Files:

Start recovering your files only if you have finished all removal steps! Otherwise you might cause more damage and make it harder to recover them in the future!

We recommend making a backup of the encrypted files on a separate external media in case you are not able to recover the files using our methods.

Check for Salsa222 ransomware file decrypter here: List of currently available decrypters. Currently it is not decryptable but virus researchers might develop a tool in the future so check the list before continuing.

We have a list of extensive file recovery methods available here. The instructions below are just a short version of the simplest methods.

Step 1:

Start by enabling recovery since the virus might have turned it off.

Hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

cmd

Click OK.

A comand prompt will open.

Copy the following:

bcdedit.exe /set {default} recoveryenabled yes

Right-click on the command prompt (black window) and select Paste.

Press Enter

Step 2:

Restore the old system settings using System Restore. The virus has changed them so you need to revert to the old ones first.

Sometimes the virus is able to remove your system restore points so this step might be unsuccessful.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

A System Restore wizard will open.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the attack happened.

If there are no restore points you will see “No restore points have been created…” error.

Step 3:

Restore earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

The virus also tries to delete shadow copies so this step this might be unsuccessful as well. In such case, proceed to Step 4.

Step 4:

Read more on how to restore files (including backups) on our file recovery guide. This guide includes instructions how to restore the files from a backup or shadow copies as well as how to use a professional file recovery program (which has a very high success rate) if everything else fails.

Alternatively you could make a backup with all encrypted files, store it externally and wait for a Salsa decrypter to be created. New free decrypters for various ransomware appear every week but we cannot estimate the waiting time and if it is going to be created at all.

After removing the virus

When you have finished removing the Salsa222 ransomware virus you should protect your computer by installing a good antivirus suite. This will prevent any further infections and fix the current vulnerabilities that have been used by the ransomware to infiltrate your system.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *