Salsa Ransomware is a newly released Encrypting ransomware that encrypts files using .salsa222 extension. It encrypts the files, making them inaccessible, and provides instructions for how to pay the ransom so as to decrypt the files. This post shows you more details about this ransomware and provides Salsa ransomware removal guide and possible data recovery methods.
What do you know about Salsa Ransomware?
|Threat Name||Salsa/ Sasal222 Ransomware|
|Type||Encrypting Ransomware ; Malware|
|Operating System||Windows XP, Windows 7, Windows Vista, Windows 8/8.1 and Windows 10|
|Behavior||Encrypt files by appending .salsa222 extension to them, demand a ransom payment.|
|Distribution Method||Spam emails, malicious torrents, executables and malicious websites.|
|File decryption method||No decryptor for it now and some methods you can try|
|Ransomware Removal||System restore or download Salsa Ransomware removal tool now!|
Salsa Ransomware is computer malware that is able to affect all versions of Windows, including Windows XP, Windows Vista, Windows 7, Windows 8, and Windows 10, and encrypts the victim’s files. Once installed, it will scan your computer for data files and append the “.salsa222″ extension to them. As a result, the encrypted files can’t be opened until you pay the ransom as required.
The malware will change the desktop wallpaper to an image below telling me what happens to your PC and creates a folder (“CLICK HERE TO UNLOCK YOUR FILES SALSA222″) containing a HTML file and LANGUADE FILES folder, including instructions on how to use Bitcoin to pay the ransom and decrypt your files. The folder is put in each directory containing encrypted files.
Open CLICK HERE TO UNLOCK YOUR FILES SALSA222 folder and you will see a LANGUADE FILES subfolder and a READ TO UNLOCK.salsa.html file. The ransomware supports multiple languages and this makes sure that its victims from different countries can understand its ransom-demand message.
The following screenshots show what is displayed in the HTML file:
In the html file, the ransomware tell you that your files are encrypted and a ransom of $150 in Bitcoins (exactly 0.124831 Bitcoins) is required to restore the data. If you don’t send the ransom at a given time, the price will double and the encrypted files will be deleted later. It also asks you to disable the antivirus software and warns that you will lose the encrypted files forever if the ransomware is deleted by security tool. Then it gives the instructions on how to use Bitcoin to send the payment and what should you do if you have paid but the files are not decrypted.
Similar to Cerber ransomware, Locky Ransomware and Osiris Ransomware, this malware can affect the most commonly used file types, such as .jpg, .mp3, .txt, .pdf and so on. Victims won’t be able to decrypt the files unless they have a unique decryptor. So far, there is still no decryptor for Salsa Ransomware. If you don’t have a backup of important files, it’s impossible to restore them. You may recover the files after sending your ransom payment to the bitcoin address given by the malware. But we don’t encourage users to pay the ransom. On the one hand, this will encourage cyber criminals to develop more infections to make more money. On the other hand, there is no 100 percent guarantee that your files will be decrypted after payment. Some victims may lose both files and money in the end.
Note: Since there is no decryptor Salsa Ransomware now, you need to wait for a free decryption utility patiently so as to get the encrypted files back. What you can do now is to run a virus scanner and remove Salsa Ransomware from the system completely.
How does your computer get infected with Salsa Ransomware?
Usually, spam email is one of the most common methods utilized by cybercriminals to spread and deliver malware. The ransomware can be included in malicious email attachments and executed on the targeted machines once innocent users open and run it. In addition, it may masquerade as official software updates, such as Java update or Flash Player update, and pop up when you visit underground websites.
Moreover, malicious links and websites can also be used to distribute the ransomware. To stay away from such malware, please be more cautious when browsing the web.
Salsa Ransomware removal guide and data recovery
The guide below shows how to remove the malware using an advanced antimalware program and some methods that you can try to restore the encrypted files. Though they may not work all the time, some may help you improve the situation.
Important Note: Before trying any decryption, you’d better make sure the computer is free of malware. It’s suggested that you remove the ransomware completely first and then attempt to restore the files.
Step1: Download and run anti-malware to remove Salsa Ransomware
It’s not easy to find and delete all the files associated with the ransomware manually. To find and get rid of the malware completely, we suggest you download and install a professional anti-malware program to scan for the threats and clean up them automatically. The recommended software below is able to detect and remove the ransomware quickly and thoroughly with only a few clicks of the mouse.
Once the tool is downloaded, run it and follow the instructions on the screen to complete the installation.
The tool will run automatically once installed. Usually, it will download and install updates first and then start to scan your computer for malware. If the scanning is not started automatically, click on Scan Computer Now button to start scanning your system for the infection.
The threats related to the ransomware will be found and showed in the scan results. When the scanning is completed, click on Fix Threats button to delete the malicious files.
Tips:To effectively find and delete the malicious files, you can enter safe mode then perform a full scan of the system with the security tool. See How to Start Windows Based OS in Safe Mode.
Alternatively, use System Restore to remove the ransomware manually:
System Restore is “a feature in Microsoft Windows that allows the user to revert their computer’s state (including system files, installed applications, Windows Registry, and system settings) to that of a previous point in time, which can be used to recover from system malfunctions or other problems.” If the System Restore function was enabled on your infected operating system before, this method may work.
Follow the guide below to perform a system restore in different Windows systems.
Press Windows key + X key or right click on the Start button in the lower left corner of the screen to open the quick link menu. Select the System item in the menu.
Click onSystem Protection tab on the left side as shown below.
Click on System Restore. (If the System Restore become greyed out, you will have to check if your current hard drive has System Protection turned on. By default it should be, but if you want to enable it on another drive simply select it and then click on configure…> select Turn on system protection. )
If this is your first time doing a System Restore, click on Next. If you had previously done a System Restore, select Choose a different restore point, and click on Next.
(Note: Make sure you have created some restore points otherwise you won’t be able to do a system restore if no restore points are available.)
Select a restore point that you would like to restore Windows back to, and click on theScan for affected programsbutton.
Review what will be affected by using the selected restore point. When finished, click on Close.
When you are ready to do a System Restore with a selected restore point, click on Next.
Click on Finish to begin the System Restore.
Click on Yes to confirm. This is your last chance to cancel the System Restore.
Your PC will now restart and perform a System Restore.
When the System Restore has completed successfully and you have signed back in to your desktop, click onClose.
Restart your computer and Osiris Ransomware will disappear. But please note that the files are still encrypted.
For Windows 8/8.1 users,
Hover your mouse over the lower left corner of the screen until the Start menu Right click on the Start menu and select Control Panel. (See screenshot below) If you use Windows 8.1, right click on the Start button and click on Control Panel.
In the Control Panel window, select “Recovery” under Type by: Large icons.
Select “Open system restore”.
The main screen for System Restore will be displayed. If you are prompted to continue, click on Next > button and a recent restore point and your last critical update will be showed there.
If you make sure that the most recent restore point is not the date your problem started, check the box next to Show more restore points in the lower left corner and you will see a list of available restore points.
Select the restore point that your computer issues started to occur and click Next button.
The screen will ask for your confirmation. Click on the Finish button if you are sure to continue.
When you are asked for confirmation again, click on Yes. System Restore will now reboot your computer and begin the restore process. This will take some time to complete the restore task and please be patient.
When the system restore task completes successfully, a confirmation box will be displayed on your desktop after system reboot. Then Osiris Ransomware is gone from your computer.
For Windows 7/Vista users
Click on Start button→ All Programs → Accessories → System Tools → System Restore….
When the System Restore window appears, you can directly click on Next button if you are sure that the date of the Recommend restore is the time the computer problem started.
If the computer issue occurred earlier than the time of the recommend restore, you can click Choose a different restore point option and click Next button to select the desired restore point.
Select a restore point you wish to restore and click Next button. If the desired restore point isn’t showed there, check Show more restore points and choose the restore point which caused the computer problem. And then click on Next button.
Confirm your restore point and click Finish button. Make your selections and click Next.
This will take some time to complete. When the system is restore to a time that was free of Osiris Ransomware, there will be no ransomware on your PC now.
For Windows XP users,
Click on Start button, click on Programs, click Accessories, click on System Tools and then open System Restore.
When the Welcome to System Restore page window appears, click on Restore my computer to an earlier time option (if it is not already selected), then click on Next button.
On the Select a Restore Point screen, locate to On this list, click a restore point list and select the most recent system checkpoint and then click Next button.
A System Restore message may appear that lists configuration changes that System Restore will make. Click OK.
Confirm your restore point and click Finish button. Make your selections and click Next.
System Restore restores the previous Windows XP configuration, and then restarts the computer.
Step2: Restore the encrypted files
So far, there is still no free decryptor tool to decrypt .salsa222 files. But sometimes the encrypted files can be restored through Shadow Volume Copies if you are lucky enough. Usually, File-encrypting ransomware will start to delete Shadow Volume Copies once installed. But sometimes the locky ransomware fails to remove them in a few cases due to various unknown reasons. Therefore, if your PC is attacked by this ransomware and you don’t have a backup of the files, try restoring encrypted files from Shadow Volume Copies since some shadow copies may luckily escape the deletion and still can be restored by ShadowExplorer.
Try using ShadowExplorer to restore them.
Here is there guide on how to restore the files with ShadowExplorer.
Alternatively, try using Windows Previous Versions feature.
Please note that this method only works on an infected operating system that has the System Restore function enabled. But this may not work on all computers. Have a try on the infected files and see if this makes sense.
Right click on the encrypted file, select Properties, and select the Previous Versions tab. If there is a restore point available, select it and click on Restore button.
How to protect your PC from Salsa Ransomware?
Usually, anti-malware programs fail to decrypt the files encrypted files even if they have found and delete the malware. You won’t be able to restore your personal files if your computer is attacked by this encrypting ransomware but you have no backups. Thus, here are several suggestions on how to protect your computer from the malware.
First of all, always remember to make a backup of your files, especially the important ones. Many people don’t make backups regularly so when their machines are attacked by ransomware, it’s impossible for them to restore the files and have to pay the ransom so as to recover the very important data. Cybercriminals utilize this and make profits.
Next, don’t click on the pop-ups saying your software, such as Chrome or Flash Player, is outdated. They may be malicious and download other potentially unwanted programs or even ransomware to your PC. If you want to update the software, please go to their official sites and download it directly from there.
Finally, keep advanced anti-malware software on the PC. It’s necessary to install a virus scanner with the latest definitions on the system to safeguard the Pc against all types of malware. The security tools can inform you of changes made by virus and help you detect and remove them automatically.
Salsa Ransomware encrypts files and makes them inaccessible but there is no a free decryptor tool for it until now. Still, we DO NOT encourage victims to pay the ransom to recover the files. Sometimes even if you pay the ransom, cyber criminals may give you nothing or lock your files again and again.In this case, a complete Salsa Ransomware removal and prevention should be the first choice. To avoid such malware, you need to take preventive measures like making a regular backup of important data on your PC and keeping an advanced antivirus program on the PC.