'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
us Technology & digital loss files renamed suddenly • file extensions changed • strange file extensions • files look encrypted • folders renamed • random file names • files have .locked extension • file extension .encrypted • ransom note on computer • possible ransomware • possible malware infection • cloud sync went wrong • shared drive files changed • external drive affected • photos documents unreadable • can't open my files • windows files changed names • mac files changed extensions • happened all at once • i don't know what changed them What to do if…
What to do if…
your files suddenly change names or extensions and you do not know why
Short answer
Assume it could be ransomware: immediately isolate the affected device from networks and stop cloud syncing, then document what you see before attempting fixes.
Do not do these things
- Don’t keep the device online while you experiment (that can spread encryption to shared drives and cloud storage).
- Don’t rename files back or run “miracle decryptor” tools you found randomly online.
- Don’t attach extra USB drives “to back up” until the device is isolated (malware can reach newly attached drives).
- Don’t wipe/reinstall immediately if you may need evidence for IT support, insurance, or reporting.
- Don’t pay or negotiate in a rush.
- Don’t pay “recovery fees” to unsolicited callers/messages claiming to be “IC3/FBI” or a “recovery agent” (this is a common follow-on scam).
What to do now
- Disconnect the device from all networks (containment).
- Turn off Wi-Fi and Bluetooth, unplug Ethernet, disconnect from any hotspot.
- If you use shared drives or NAS, disconnect that shared storage from the network to prevent spread.
- Stop syncing and sharing (prevent propagation).
- Pause cloud sync on the affected device (OneDrive/iCloud/Dropbox/Google Drive).
- If you can do so safely from another trusted device, pause sync from the provider’s web settings as well.
- Capture evidence of what happened (quickly, calmly).
- Take photos/screenshots of ransom notes, changed extensions, and error messages.
- Note the approximate time you first noticed changes and what you were doing just before (opened attachment, installed software, etc.).
- Check if it’s spreading (without reconnecting the suspect device).
- From another device you trust, check whether cloud folders or shared drives show the same renamed/encrypted files.
- If other devices are affected, isolate them too.
- Contact the right support channel and report safely.
- If this is a work/school device: contact IT/security right away and say “possible ransomware/encryption; files renamed/extensions changed.”
- Report to the FBI Internet Crime Complaint Center (IC3) and consider contacting your local FBI field office.
- Important: type www.ic3.gov directly into your browser (avoid sponsored search results and lookalike sites). IC3/FBI won’t charge fees to “recover” money or files.
- Preserve a small sample for recovery options later (after isolation).
- Copy a small set of affected files plus any ransom note text to a separate USB drive (ideally empty/newly formatted), then unplug it and label it (date/time).
- Don’t reconnect that USB drive to other computers unless a trusted professional/IT advises you to.
- If encryption still appears to be actively ongoing.
- If file names/extensions keep changing even after network disconnection, power the device down (CISA notes this can be appropriate if you can’t fully disconnect) and hand off to IT or a reputable incident response professional.
What can wait
- You do not need to decide right now whether to pay, wipe, or rebuild everything.
- You do not need to identify the malware family today.
- You do not need to start restoring backups immediately; containment and documentation come first.
Important reassurance
This is a common “freeze” moment: your brain wants to click and undo things fast. Taking one minute to isolate and pause syncing often prevents a bad situation from becoming much bigger.
Scope note
These are first steps to reduce harm and buy time. Full recovery (backups, account security, forensic review, notifications) depends on your exact setup and often needs specialist help.
Important note
This is general information, not legal, forensic, or professional incident-response advice. If you’re unsure what caused the changes, treating it as ransomware at first (isolate, stop sync, document, report) is typically the safest path.