'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
uk Technology & digital loss files renamed suddenly • file extensions changed • strange file extensions • files look encrypted • folders renamed • random file names • files have .locked extension • files have .encrypted extension • ransom note on computer • possible ransomware • possible malware infection • cloud sync went wrong • shared drive files changed • external drive affected • photos documents unreadable • can't open my files • windows files changed names • mac files changed extensions • happened all at once • i don't know what changed them What to do if…
What to do if…
your files suddenly change names or extensions and you do not know why
Short answer
Treat this as a possible ransomware/malware incident until proven otherwise: disconnect the affected device from the internet and any shared drives immediately, then pause any cloud sync before you do anything else.
Do not do these things
- Don’t keep “trying fixes” (renaming files back, running random cleanup tools, restoring things repeatedly) while the device is still online.
- Don’t plug in more USB drives “to back up quickly” until you’ve isolated the device (malware can spread to newly attached drives).
- Don’t pay a ransom or respond to any ransom message in a rush.
- Don’t wipe/reinstall straight away if you may need evidence for support, insurance, work IT, or reporting.
- Don’t assume it’s “just a setting” if lots of files changed at once or you see a ransom note.
What to do now
- Isolate the device (containment first).
- Turn off Wi-Fi and Bluetooth, unplug Ethernet, and disconnect from mobile hotspot.
- If it’s on a home/work network with shared storage, consider turning off Wi-Fi at the router briefly to stop spread.
- Stop sync and sharing immediately (to prevent propagation).
- Pause cloud sync on the affected device (e.g., OneDrive/iCloud/Dropbox).
- If you can do so safely, also pause sync from the provider’s web dashboard using another, known-clean device.
- Disconnect external drives and unplug network-attached storage (NAS) if you suspect it’s being affected.
- Document what you see (before it changes).
- Take photos/screenshots of: file extensions, error messages, ransom notes, and the time/date you noticed it.
- Write down which folders/drives are affected (e.g., “Documents and Photos, but not Downloads”).
- Check whether other devices are being hit (without reconnecting the suspect device).
- From a different, known-clean device, check whether the same folders in the cloud or on shared storage show the same renamed/encrypted files.
- If other devices look affected, isolate them too.
- Use the right reporting/support route quickly.
- If this is a work/school device: contact your IT/helpdesk immediately and say “possible ransomware/encryption and file renaming”.
- If you’re an individual in the UK: report cyber crime/fraud via Report Fraud (the national reporting service; the older “Action Fraud” site name may redirect).
- If you live in Scotland, reporting is typically via Police Scotland (101) for non-emergency.
- Preserve a small “sample” safely (only after isolation).
- If you can do it while staying offline: copy a small set of changed files plus any ransom note text to a separate USB drive (ideally empty/newly formatted), then unplug it and label it (date/time).
- Don’t reconnect that USB drive to other computers unless a trusted professional/IT advises you to.
- If changes keep happening after you’ve disconnected networks.
- If file names/extensions continue changing even while offline, shut the device down to stop further damage, then hand over to IT or a reputable local computer security professional.
What can wait
- You do not need to decide today whether to wipe the device, pay anything, or tell everyone you know.
- You do not need to identify the exact malware strain right now.
- You do not need to attempt full recovery immediately; the priority is stopping spread and preserving what’s there.
Important reassurance
When lots of files suddenly change names/extensions, it’s normal to feel panicked and start clicking. Pausing and isolating the device first is the safest move and often prevents the situation from getting much worse.
Scope note
This is first-steps-only guidance to contain damage and avoid irreversible mistakes. Recovery (restoring from backups, rebuilding devices, dealing with accounts) often needs careful, situation-specific support.
Important note
This is general information, not professional forensic or legal advice. If you’re unsure whether this is ransomware, acting as if it is (isolating, pausing sync, documenting) is usually the least-regret first step.
Additional Resources
- https://www.ncsc.gov.uk/section/respond-recover/sole-ransomware-attack
- https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks
- https://www.reportfraud.police.uk/
- https://www.reportfraud.police.uk/guide-to-reporting/
- https://www.gov.uk/government/news/report-fraud-new-service-from-city-of-london-police