'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
uk Technology & digital loss ransom note file • read me file appeared • ransomware note on pc • files suddenly encrypted • strange file extensions • computer says pay bitcoin • desktop wallpaper ransom • locked out of files • malware ransom message • suspicious txt html note • pop up ransom demand • network drive files renamed • shared folder encrypted • new README instructions • decryption key demand • unknown program running • computer compromised • cyber attack at home • hacked laptop ransom What to do if…
What to do if…
you find a new “read me” or ransom-style note file on your computer
Short answer
Stop using the computer and isolate it (disconnect from Wi-Fi/ethernet) before you do anything else. Then use a different device to get help and report it.
Do not do these things
- Don’t pay the ransom or rush into “negotiation” messages.
- Don’t follow instructions in the note (links, email/Telegram contacts, “support” chats).
- Don’t plug in backup drives or memory sticks “to copy things off” — you could encrypt/infect them too.
- Don’t try to restore from backups yet.
- Don’t start randomly deleting files or running unknown “decryptor/cleaner” tools you found online.
- Don’t sign into important accounts (email, banking, work) from the affected computer.
What to do now
- Isolate the device immediately. Turn off Wi-Fi and unplug any ethernet cable. If the device seems to be actively encrypting files (files changing rapidly), power it off.
- Disconnect anything attached and limit spread. Unplug external hard drives/USB sticks. If you’re connected to shared folders/NAS, disconnect the affected device from the network to reduce spread.
- Capture the minimum evidence safely (no clicking). Take photos of the ransom note and the file name(s). Note the date/time you noticed it, any new file extensions, and which folders/drives are affected.
- Use a different, trusted device to secure your key accounts. Start with email (because it resets everything), then banking, Apple/Google/Microsoft accounts, and any password manager. Turn on MFA where you can.
- Check how widespread it is (quick, low-risk triage). While staying offline, check a couple of files in different folders: do they open normally, or error/have strange extensions? Stop once you have enough to describe the impact.
- If it’s a work/school device, stop and escalate. Contact your IT/security team immediately. Don’t attempt “DIY cleanup” on a managed device.
- Report it (UK).
- Most people and small organisations: report cyber crime/fraud via Report Fraud (online), or by phone on 0300 123 2040.
- Organisations (especially if impact is serious): use the GOV.UK “where to report a cyber incident” signposting service to reach the right body for your sector, and consider reporting via the NCSC incident reporting portal for significant incidents.
- If personal data may be involved: assess whether you need to notify the Information Commissioner’s Office (ICO) (for notifiable breaches, reporting is generally expected without undue delay and within 72 hours of awareness).
- Protect your money fast if there’s any chance of financial access. If you were logged into banking/shopping on that device recently or saved card details in the browser, contact your bank’s fraud line, ask about extra monitoring, and change credentials from a clean device.
What can wait
- You don’t need to decide today whether you’ll ever pay — focus on containment and account security first.
- You don’t need to reinstall the computer immediately; preserve the option for professional recovery.
- You don’t need to restore from backups yet — only restore once you’re confident the device and the backup are clean.
- You don’t need to contact everyone at once — start with email + banking + any account that can reset others.
Important reassurance
Seeing a ransom note can make you feel pressured to act quickly — that’s the point of it. Disconnecting and switching to a clean device is a strong first move that prevents things getting worse while you regain control.
Scope note
These are first steps to reduce harm and buy time. Recovery (cleaning the system, restoring files, and checking for data theft) often needs careful, specialist support.
Important note
This guide is general information, not legal, financial, or professional cybersecurity advice. If the device contains sensitive personal data or you’re part of an organisation, get qualified help promptly and follow your organisation’s incident process.
Additional Resources
- https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks
- https://www.ncsc.gov.uk/ransomware/home
- https://report.ncsc.gov.uk/
- https://www.reportfraud.police.uk/guide-to-reporting/
- https://www.gov.uk/guidance/where-to-report-a-cyber-incident
- https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/