Salsa Ransomware – Remove and Restore .salsa222 Files

Salsa Ransomware – Remove and Restore .salsa222 Files

This article will aid you to remove the Salsa ransomware effectively. Follow the ransomware removal instructions provided at the bottom of this article.

Salsa ransomware is a cryptovirus. The extension it puts to all files after encryption is .salsa222. A ransom note named READ TO UNLOCK FILES.salsa.[language].html points to a TOR-based Web page, which contains instructions about payment. The sum of 150 US dollars is demanded in Bitcoins by the cybercriminals for paying the ransom. Read on through and find out what ways you could try to potentially recover some of your files and data.

Threat Summary

Short DescriptionThe sransomware encrypts files on your computer system and it shows a ransom note afterward.
SymptomsThis ransomware virus will encrypt your files and place the .salsa222 extension on each one of them.
Distribution MethodSpam Emails, Email Attachments, Executables
Detection Tool See If Your System Has Been Affected by Salsa


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Salsa.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Salsa Ransomware – Delivery Tactics

The Salsa ransomware might be delivered by utilizing different tactics. The payload dropper file which initiates the malicious script for the ransomware is found to be circling the Internet. Malware researchers have found multiple samples, and some are still infecting users. You can see the VirusTotal detections for different security programs of one such sample from the below snapshot:

The Salsa ransomware might be using other ways to deliver the payload file, in question, such as social media sites or file-sharing services. Freeware applications found on the Web could be promoted as helpful but also could hide the malicious script for this virus. Before opening any files after you have downloaded them, you should instead scan them with a security program. Especially if they come from suspicious places, such as emails or links. Also, don’t forget to check the size and signatures of such files for anything that seems out of place. You should read the ransomware preventing tips given in the forum.

Salsa Ransomware – Technical Information

The Salsa ransomware is a cryptovirus. When the Salsa ransomware encrypts your files it will place the .salsa222 extension to every encrypted file. The virus has its ransom note translated in 40 languages, which are the following:

→French; Spanish; English; Hindi; Javanese; Dutch; Bosnian; Portuguese; Czech; Serbian; Danish; German; Bengali; Estonian; Croatian; Persian; Indonesian; Icelandic; Italian; Kannada; Latvian; Lithuanian; Hungarian; Norwegian; Tamil; Polish; Urdu; Romanian; Slovenian; Slovak; Malayalam; Finnish; Swedish; Marathi; Turkish; Vietnamese; Greek; Belarusian; Bulgarian; Gujarati; Russian; Telugu; Ukrainian; Hebrew; Arabic; Thai; Korean; Simplified Chinese; Traditional Chinese; Japanese

The Salsa ransomware might make new registry entries in the Windows Registry to achieve a higher level of persistence. Those entries are usually designed in a way that will start the virus automatically with every launch of the Windows Operating System, like in the example provided below, such as the example given down here:


A ransom message will be placed inside your computer system right after the encryption process is complete. The ransom note file is called READ TO UNLOCK FILES.salsa.[language].html and it contains a link to a TOR Web page (where the name of one of the 40 languages is written). Once you open that page, this is the message that will load on it:

That ransom message with instructions reads the following:

Your computer has been locked and your files are encrypted.
A one-time payment is required to restore access.
Disable your Anti Virus now! If this program is deleted by your Anti Virus, you lose your files forever because it is impossible to decrypt your files!
PRICE: $150 in Bitcoins
We only accept bitcoins! Follow the steps below to decrypt your files:
1. Send exactly 0.124831 [BTC,BITCOINS] to this bitcoin address: 1CmrBiDU8Ta2TQ8j1VBtJ6UcvzvxixWeWD
2. After you send the payment, wait a few minutes…your files will be automatically decrypted and repaired. Your computer/files will be back to normal.
How to Use Bitcoin
Step 1 – Create Wallet
Register a new Bitcoin Wallet on your computer:,,
Or on your mobile phone by installing the Blockchain app.
Available on the App Store or Google Play
Step 2 – Purchase Bitcoin
Purchase Bitcoins online through a trusted reseller: (CASH, WESTERN UNION, PAYPAL) (BANK ACCOUNT, CREDIT CARD), (CREDIT CARD, WESTERN UNION…),,
Or find a Bitcoin ATM machine in your area: (CASH)
Step 3 – Send Payment
Send exactly 0.124831 [BTC,BITCOINS] to this bitcoin address:
Still confused? Click here to Learn More
Paid, and not seeing your files yet?
Verify that you paid the correct amount
Make sure your computer is connected to the internet
Reconnect all infected drives/usb/devices to your computer
If nothing worked, restart your computer, disable your anti-virus and re-download the salsa decryptor from one of these links: Download Server 1, Download Server 2, Download Server 3, Download Server 4, Download Server 5

The following wallpaper will be set as a Desktop background:

The makers of the Salsa cryptovirus demand that you pay a ransom sum of 0.124831 Bitcoins, which is the equivalent of nearly 150 US dollars at the moment of writing this article. However, you should NOT meet their demands, nor contact these crooks under any circumstances. By proceeding with a payment you only will give money to the criminals, and nobody can guarantee that you will recover your data by doing so. To add to that, providing money to the cybercriminals is probably going to ignite their motivation to do more criminal acts, including the making of ransomware viruses.

Salsa Ransomware – Encryption Process

There is no official list with file extensions that the Salsa ransomware seeks to encrypt at this moment. However, this article will get duly updated if there anything new about this matter surfaces. All encrypted files will receive the .salsa222 extension, which will be appended to them. The following files are most likely to get encrypted, as they are the most commonly used ones on the Windows OS:

→.7z, .bmp, .doc, .docm, .docx, .html, .jpeg, .jpg, .mp3, .mp4, .pdf, .php, .ppt, .pptx, .rar, .rtf, .sql, .tiff, .txt, .xls, .xlsx, .zip

The Salsa cryptovirus is very likely to delete the Shadow Volume Copies from the Windows Operating System by executing the following command:

→vssadmin.exe delete shadows /all /Quiet

If the command stated above is initiated, that will make the encryption process a bit more effective, as one of the ways for file recovery will be lost. Continue reading and find out what kinds of methods you can try out to potentially restore some of your files.

Remove Salsa Ransomware and Restore .salsa222 Files

If your computer got infected with the Salsa ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share