PanicStation.org
UK USA
us Technology & digital loss ransom note on computer • ransomware note • files encrypted • computer locked ransomware • ransomware pop-up • bitcoin ransom demand • crypto ransom demand • decrypt key demanded • system encrypted • desktop ransom message • strange file extensions • network share encrypted • work laptop ransom note • home pc ransomware • not paid ransom • not contacted attacker • scared to respond • data held hostage • extortion message • malware ransom screen

What to do if…
your computer displays a ransom note but you have not paid or contacted anyone yet

Short answer

Immediately isolate the affected computer from the internet/network, then document the ransom note (photos/screenshots) and do not communicate with the attacker.

Do not do these things

  • Don’t pay, bargain, or message the attacker “to see if it’s real.”
  • Don’t click links, QR codes, or “support” buttons in the ransom note.
  • Don’t attach backup drives or USB storage to “save what you can” — you may spread encryption/infection.
  • Don’t sign up for random “decryption” services that contact you first — scams are common.
  • Don’t log into key accounts (email, banking, cloud, password manager) on the infected computer.
  • Don’t wipe/reinstall yet — not until you’ve isolated the device and have a trusted recovery plan (and, for work/school devices, explicit IT instructions).

What to do now

  1. Isolate the device (first priority).
    • Turn off Wi-Fi and Bluetooth.
    • Unplug Ethernet if connected.
    • Disconnect from any dock/office network and shared storage.
  2. Preserve what you’re seeing.
    • Take photos/screenshots of the ransom note, any “victim ID,” contact method, and the time/date.
    • Write down what changed (e.g., “files won’t open,” “extensions renamed,” “network drive affected”).
  3. If it’s work/school/managed IT: stop and report internally.
    • Contact your IT/security/helpdesk from a different device/phone.
    • Say clearly: “Ransom note on screen; device isolated; no payment; no contact with attacker.”
  4. From a known-clean device, secure your accounts.
    • Change passwords for: email, banking, Apple/Google/Microsoft accounts, cloud storage, and any remote-access tools.
    • Turn on multi-factor authentication where available.
    • If you get unexpected password reset prompts, treat them as a red flag.
  5. Report once through an official channel.
    • File a report with the FBI’s IC3 (a common route for individuals and organizations).
    • CISA notes victims can report to the FBI, CISA, or the U.S. Secret Service, and you only need to report the incident once.
  6. If money or identity theft risk feels possible, slow it down now.
    • Call your bank using the number on your card/app (not any number on the ransom note).
    • Monitor for unauthorized login alerts, new payees, or unexpected transfers.
  7. Keep the infected computer isolated until a trusted recovery plan exists.
    • If you must transport it, keep it powered off and disconnected, and avoid plugging it into other computers.

What can wait

  • You do not need to decide right now whether you will ever pay.
  • You do not need to attempt “cleanup” or “decryption” immediately.
  • You do not need to talk to the attacker to “buy time.”
  • You can postpone deeper cleanup (rebuild, restore from backups, forensic checks) until after reporting/containment.

Important reassurance

Ransom notes are meant to push you into fast, irreversible choices. Not paying or contacting anyone yet is a strong starting position — isolating the device and switching to clean-device actions protects you while you decide next steps.

Scope note

This is first steps only for stabilization and harm-prevention. Full recovery can involve IT support, restoring from backups, checking for data theft, and (for organizations) incident response planning.

Important note

This guide is general information, not legal or professional advice. If the computer belongs to an employer/school or holds other people’s data, follow your organization’s incident process and don’t self-remediate unless you’re instructed to.

Additional Resources
Support us