Incident Response Guide

My Computer Says I Have Ransomware

A screen appeared saying your files are locked — or a warning popped up. Here's how to tell if it's real, and exactly what to do.

Updated 7 May 2026

First: Is It Real or a Fake Alert?

Before doing anything else, you need to answer one question — because the right response depends on it.

Signs it is a FAKE alert (scareware):

  • The warning appeared inside your web browser while you were browsing a website
  • It has a phone number to call (“Call Microsoft Support immediately”)
  • Your computer still works normally — you can open files, close the browser, use other programs
  • The message has red flashing text, urgent countdown timers, or claims to be from Windows, Apple, or your antivirus
  • When you close the browser, everything is fine

Signs it is REAL ransomware:

  • Your documents, photos, or other files now have strange extensions (like .locked, .encrypted, .{random letters})
  • You cannot open files that previously worked fine
  • Your desktop wallpaper has changed to a ransom note
  • A fullscreen message appeared when you started your computer that you cannot close
  • Your computer is completely locked and you cannot use it at all

Jump to the right section below.

If It’s a Fake Alert (Scareware)

Do not call the phone number. Do not click anything on the popup. This is the same type of scam as a fake invoice — the goal is to get you to call a number where scammers will try to access your computer or take your money.

What to do:

  1. Close your browser. If you can’t close it normally, press Alt + F4 on Windows or Command + Q on Mac. If that doesn’t work, right-click the taskbar icon and select “Close window.”
  2. If the popup blocked your whole screen: Press Ctrl + Alt + Delete (Windows) and open Task Manager, then end the browser process. On Mac, press Command + Option + Escape and force-quit the browser.
  3. Run a malware scan. Open your antivirus software and run a full scan. On Windows, Windows Security (built-in) works well — search for it in the Start menu.
  4. Do not visit the same website again.

Your files are fine. Your computer is fine. You do not owe anyone anything.

If It’s Real Ransomware

Your files have been encrypted by malicious software. This is serious, but you still have options. Work through these steps carefully.

Step 1: Disconnect from the internet immediately

Pull out the network cable, turn off Wi-Fi, and turn off Bluetooth. Do this right now, before anything else.

Ransomware often tries to spread to other devices on your home network (other computers, external hard drives, shared folders). Cutting the connection stops it from spreading further.

Step 2: Do not turn the computer off

This is counterintuitive, but important. Some ransomware is still in the process of encrypting files when you see the message — turning the computer off may cause it to finish the encryption on restart, or may destroy information that could help with decryption later.

Leave it on but disconnected from the internet.

Step 3: Photograph the ransom note

Use your phone to take a clear photo of the ransom message on your screen. This is important for two reasons:

  • The message usually identifies which ransomware you have (by name or visual style) — you’ll need this to search for a decryption tool
  • You’ll need this information for your police report

Step 4: Check if free decryption is available

Before considering anything else, check whether a free decryption tool exists for the ransomware you have.

Do this from your phone or another computer — not the infected machine, which must stay disconnected.

Go to nomoreransom.org on that other device. This is a free service run by Europol and law enforcement agencies worldwide, with decryption tools for hundreds of ransomware variants — completely free.

The site’s “Crypto Sheriff” tool lets you upload one encrypted file to identify the ransomware and check whether a free decryptor exists. To get a sample file from the infected computer to your phone or another device:

  • USB stick: plug a USB drive into the infected computer, copy one small encrypted file (a document or photo) onto it, then plug it into your phone or other computer. The encrypted file itself is not dangerous — it is just scrambled data that cannot execute or spread.
  • If the infected computer has no USB: take a photo of the ransom note screen with your phone instead, and search nomoreransom.org for the ransomware name shown in the message.

Also check emsisoft.com/en/ransomware-decryption for additional free tools.

Step 5: Check your backups

Do you have a recent backup of your files?

  • External hard drive that was not connected when the attack happened — your files may be fully recoverable
  • Cloud backup (OneDrive, iCloud, Google Drive, Dropbox) — check whether older versions of your files are still there. Many cloud services keep version history that predates the encryption.
  • Windows File History or macOS Time Machine — if enabled, check whether previous file versions can be restored

If you have a clean backup, restoring from it is the best possible outcome — no ransom needed.

Step 6: Do not pay the ransom

The FBI, Europol, and every major security organisation advise against paying.

Paying does not guarantee your files will be returned — a significant number of victims who pay receive no working decryption key. It also funds the criminal operation and confirms that you are a target willing to pay, which can result in follow-up attacks.

Exhaust all other options first: free decryption tools, backups, professional help.

Step 7: Report it to the police

File a report with your local police. Bring:

  • Your photo of the ransom note
  • A note of when you first noticed it and what you were doing at the time
  • The file extensions on your encrypted files

Also report online to your national cybercrime centre — most countries have an online form. This helps law enforcement track ransomware operations even when individual recovery isn’t possible.

After Recovery: Securing Your Computer

Whether you recovered your files or had to start fresh, do these things before using the computer normally again:

  1. Run a full malware scan — confirm the ransomware is fully removed before restoring any files
  2. Change all your passwords — from a different device first, then on the recovered computer. Use our password generator for each one.
  3. Update your operating system and all software — ransomware often gets in through known vulnerabilities in outdated software
  4. Set up regular backups going forward — this is the single best protection against ransomware. See the prevention section below.

What NOT to Do

  • Do not pay the ransom — it rarely works and funds future attacks
  • Do not turn the computer off immediately (if files are being actively encrypted)
  • Do not connect additional storage devices to the infected computer — they may get encrypted too
  • Do not call any number shown in the ransom message
  • Do not try to decrypt files yourself with random tools — some poorly-made decryptors can cause further damage

Prevention Checklist

The best protection against ransomware is a recent backup you can restore from.

  • Regular backups to an external drive that is disconnected when not in use (a drive that’s always connected can also get encrypted)
  • Cloud backup enabled (OneDrive, iCloud, Google Drive) with version history turned on
  • Windows or macOS operating system set to update automatically
  • All software (browser, Office, etc.) kept up to date
  • Antivirus software installed and running
  • Unique passwords on all accounts (use our password generator)
  • Be cautious with email attachments — especially Word, Excel, and PDF files from unexpected senders