'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
uk Technology & digital loss ransom note on screen • ransomware message • files encrypted • computer locked ransomware • pop-up ransom demand • black screen ransom note • bitcoin ransom demand • crypto payment demand • decrypt key demanded • hacked and locked out • suspicious encryption • sudden file extensions changed • desktop wallpaper ransom note • network drive encrypted • work laptop ransom note • home computer ransomware • not paid yet • not contacted attacker • scared to click anything • data held hostage What to do if…
What to do if…
your computer displays a ransom note but you have not paid or contacted anyone yet
Short answer
Disconnect the affected computer from the internet/network immediately, then pause and document what you’re seeing (photos/screenshots) before you do anything else. Don’t reply to the ransom message.
Do not do these things
- Don’t pay, negotiate, or message the attacker “just to ask” — it can increase pressure and risk.
- Don’t click links, QR codes, or “support chat” buttons on the ransom note.
- Don’t plug in backup drives, USB sticks, or external hard drives “to copy what you can” — you may encrypt/infect them too.
- Don’t run random “ransomware removal” tools you don’t understand — it can make recovery harder or overwrite information responders may need.
- Don’t log into banking/email/password-manager accounts on the infected computer.
- Don’t accept unsolicited “help” calls/messages from people who claim they can fix it if you pay them.
What to do now
- Isolate the device (first priority).
- Turn off Wi-Fi and Bluetooth.
- Unplug the Ethernet cable if there is one.
- If it’s a work/school device, disconnect from any dock/office network too.
- Freeze the scene for reference.
- Take clear photos of the ransom note, any filenames/extensions shown, the time/date, and any “ID” the note displays.
- If you can do so without clicking around, write down which folders/drives look affected (e.g., “Documents”, “Desktop”, a shared drive letter).
- If it’s a work/school computer: stop and escalate.
- Do not attempt fixes yourself. Contact your IT/helpdesk/security team using a different device/phone.
- Tell them: “Ransom note on screen; device isolated from network; I have not paid or contacted anyone.”
- From a known-clean device, secure the accounts that matter most.
Prioritise: email account(s), banking, cloud storage (Google/Microsoft/Apple), and any remote access accounts. Turn on 2-step verification if you can.- If you use a password manager and you’re unsure whether it’s affected, change the master password only from a known-clean device.
- Treat it as real ransomware until proven otherwise.
- Some incidents are “scareware” (a lock screen) and some are real encryption. Don’t test by clicking around. Keep it isolated and move to reporting/help.
- Report it (even if you haven’t lost money yet).
- If you’re in England, Wales, or Northern Ireland: report cyber crime/fraud via Report Fraud (the UK online service).
- If you’re in Scotland: report to Police Scotland (101 for non-emergency, or their online reporting options).
- If this involves an organisation, they can also report the incident to the NCSC via its cyber incident reporting service.
- If you’re worried about identity/financial exposure, add immediate friction.
- Notify your bank’s fraud team (use the number on your bank card/app, not one in any message).
- Watch for account takeover signals (password reset emails you didn’t request, new payees, new devices).
What can wait
- You do not need to decide today whether you will ever pay (many people never do).
- You do not need to try to “clean” or “decrypt” the machine right now.
- You do not need to contact the attacker to “buy time”.
- You can leave detailed incident write-ups and longer-term prevention steps until after the device is contained.
Important reassurance
Seeing a ransom note is designed to trigger panic and rushed decisions. You’ve already done the most protective thing by not paying or engaging — isolating the device and slowing down prevents a bad situation becoming worse.
Scope note
This is first steps only for stabilization and harm-prevention. Recovery (restoring files, rebuilding the device, dealing with backups, and checking for data theft) can require specialist help depending on what was hit.
Important note
This guide is general information, not legal or professional advice. If the device is owned by an employer/school or contains other people’s personal data, follow your organisation’s incident process and consider data protection obligations.
Additional Resources
- https://www.ncsc.gov.uk/ransomware/home
- https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks
- https://report.ncsc.gov.uk/
- https://www.reportfraud.police.uk/
- https://www.scotland.police.uk/advice/cybercrime/ransomware-attacks/
- https://www.gov.uk/government/news/report-fraud-new-service-from-city-of-london-police