How to Confirm Your Windows PC Has Ransomware

Before anything else, confirm what you are actually dealing with. Not every 'my files won't open' is ransomware.

6 min read · Beginner friendly

Tell-tale signs of ransomware

Real ransomware typically shows several of these together:

• Files have new extensions you did not put there (e.g. .locked, .encrypted, .lockbit, .djvu, random strings like .zxcv).
• A text or HTML 'ransom note' file appears in every folder — names like readme.txt, HOW_TO_DECRYPT.html, !RECOVER.txt.
• Your wallpaper changes to a black screen with payment instructions.
• Files won't open in any application — Word reports them as corrupt, photos won't display.

Step 1: Stop using the PC

Disconnect from the internet (unplug Ethernet, turn off Wi-Fi).

Do not reboot. Many ransomware families finish encrypting on shutdown or run more passes on boot.

Disconnect any external drives, USB sticks and unplug network shares.

Step 2: Confirm it is not just OneDrive / sync issues

Open File Explorer. If files have a green tick or cloud icon next to them and won't open, that is OneDrive showing files that are not currently downloaded — not ransomware.

If the file extension is unchanged and only one app refuses to open them, the file may just be corrupt. Try opening it in a different application.

Step 3: Identify the ransomware family

From another device (not the infected one), go to id-ransomware.malwarehunterteam.com.

Upload the ransom note plus one encrypted file. The site will tell you which ransomware family it is and whether a free decryptor exists.

Cross-check the result against nomoreransom.org — the EU-led project lists every public free decryptor.

Step 4: Photograph evidence

Take phone photos of: the ransom note, the changed wallpaper, the file extension list, and any contact email/Bitcoin address.

You will need this if you report to police or your cyber insurer.

---

What's next

• Resolve: contain the infection and recover
• Secure: protect against future ransomware