How to recognise ransomware before it's too late: a step-by-step guide

The cyber threat landscape is rapidly evolving. It is becoming increasingly sophisticated, impacting individuals and businesses alike. To help you stay one step ahead of cybercriminals, we’re exploring a different aspect of cybersecurity each month in 2025 as part of our bitesize series.

So far, we have tackled many prominent issues surrounding cybersecurity, including:

• How to dispose of old devices without leaking data
• How to secure your personal devices
• How to protect your photos and videos from unauthorised access
• How to spot a phishing email
• The rise of a new cyberthreat - What is quishing?
• How to create a strong password
• How to secure your home Wi-Fi
• How to check if your email credentials have been leaked
• How to spot fake apps

This month’s focus is on how to recognise ransomware before it’s too late.

Did you know that 1% of all businesses in the UK experienced a ransomware crime in the last 12 months? This has doubled from 2024.

In today’s digital world, ransomware is one of the most dangerous and costly cyber threats. It can lock you out of your files, disrupt your business, and demand a hefty ransom to restore access. But what if you could spot the signs before the damage is done?

In this guide, we’ll explain what ransomware is, how to recognise it early, and provide you with a step-by-step guide to help you stay one step ahead of cybercriminals.

What is ransomware?

Ransomware is a type of malicious software, also known as malware, that encrypts your files or locks you out of your system. Once infected, you’ll typically receive a message demanding payment, often in cryptocurrency, in exchange for a decryption key.

There are several types of ransomware, including:

• Crypto ransomware - Encrypts files and demands payment for the decryption key.
• Locker ransomware - Locks you out of your device entirely, before displaying a ransom note.
• Scareware - Pretends to be legitimate software and scares users into paying for fake fixes.
• Extortionware - Taps into the fear of reputational damage, by threatening to publicly expose your data unless users pay the ransom.

Ransomware attacks can take place on any device, whether that is a mobile phone, tablet or computer. Typically, ransomware gains access to a user’s device via phishing attacks.

Signs of a ransomware attack

By recognising early indicators, you can significantly reduce the risk of infection and contain threats before they escalate. Recognising ransomware promptly can be the difference between a minor inconvenience and a full-blown crisis.

If you notice any of these signs below, act quickly, as time is critical.

Sign 1 - Sluggish system performance

During a ransomware attack, the system can be overloaded by the malware, which leaves less capacity for legitimate programs to run. Watch for sudden slowdowns, frequent crashes, or unresponsive applications. These can be early signs of malicious activity.

Open Task Manager (Windows) or Activity Monitor (Mac) and look for unfamiliar or resource-heavy processes. Malware often tries to disguise itself with random names.

 

Sign 2 - Locked or inaccessible files

If you can’t open documents, images or folders that were previously usable. You may still be able to see the files, but you won’t be able to open or use them.

 

Sign 3 - Unusual file extensions

Ransomware attacks are prone to targeting and corrupting files and data. Inspect your files for strange extensions. If you see something like .locked, .enc, or .crypt, it’s a red flag.

 

Sign 4 – Malicious pop-ups or ransom notes

Look for text files or suspicious pop-ups with unexpected warnings, fake updates or ransom demands. These often appear on your desktop or in folders with encrypted files.

 

Sign 5 - Disabled antivirus or firewall

Check your antivirus and firewall logs for recent alerts or blocked activity. If your security software is turned off without your input, these logs can reveal it and help show attempted intrusions or malware behaviour.

 

Sign 6 - Unusual network activity

If you have high outbound traffic to unknown IP addresses or domains, you should use a network monitoring tool to investigate. This could indicate data exfiltration or communication with a command-and-control server.

 

Sign 7 - Unexpected redirects

If you are being redirected to strange websites when you try to visit legitimate websites. This could be an indication that a malicious browser extension has been installed.

 

Sign 8 - Unfamiliar software running

If you notice new apps are running in the background. For example, software removal applications, this could mean bad news. Take a look at your Task Manager or Activity Monitor to check that nothing suspicious is silently happening behind the scenes.

 

Sign 9 – Invest in threat detection tools

Run a full system scan using updated anti-malware software. Tools like Malwarebytes, Bitdefender, or Windows Defender can help detect and quarantine threats.

What to do if you suspect a ransomware attack

Quick action can limit the damage and help with recovery. If you think your system is infected, follow these steps:

Step 1 - Disconnect from the internet

The first thing you should do if you think your system is infected is disconnect from the internet to prevent the spread. Whether wired, wireless or mobile phone based, disconnect all devices from all the network connections immediately to prevent the infected device from corrupting others.

If you’re being particularly cautious, consider turning off your Wi-Fi at the switch to limit the damage it can cause.

 

Step 2 - Reset passwords

If in doubt, update any login details to ensure none of your personal data is compromised. Bear in mind, that when you’re completing this step, you need to be careful not to lock yourself out of any systems that you may need for recovering the device.

 

Step 3 - Contact your IT or cybersecurity team

If this is a business device, make sure to contact IT or your cybersecurity team to get support on advice on what to do next. This step will also allow them to implement measures to prevent anyone else falling victim to the same scam.

 

Step 4 - Report the incident

On a similar train of thought, you should report the incident to the local authorities and any applicable cybercrime units. For example, in the UK, you should report any cybercrime to Action Fraud.

 

Step 5 - Clean your device

If you have completed steps 3 and 4, you may have been given some guidance on how to safely remove the ransomware from your device.

 

Step 6 - Restore your backups

Once you are sure the device is free from malware, you can restore your back-ups if you have any. Just make sure that both the device you are plugging in and the one you are plugging it into are clean.

Should I pay the ransom that’s being demanded?

It is not recommended that you pay the ransom. Law enforcement and cybersecurity experts strongly discourage doing so for many reasons:

1. There is no guarantee that you will be given access to your files or device again,
2. It may mean you’re more likely to be targeted in future,
3. You are then funding criminal activity.

If you’ve already paid the ransom, contact your bank and Action Fraud immediately. Depending on how promptly you do so they may be able to block the transaction.

Prevention is key

Ransomware is a serious threat, but with the right knowledge and tools, you can detect it before it causes irreversible damage. By following the checklist above and staying alert to early warning signs, you’ll be better prepared to protect your data and your business.

Prevention is always better than cure. Here are a few top tips to remember:

• Regularly back up your files,
• Keep your software up to date,
• Train your team on phishing awareness and encourage them to be proactive.

Worried about cybercrime?

When it comes to cybercrime, many SMEs don’t have sufficient cyber insurance. But the reality is, the risk of cybercrime to your business far outweighs many other risks that you would cover for without a second thought. It’s time to get real about cybersecurity.

To find out more about cyber insurance, give us a call on 0330 029 5626 or visit our dedicated cyber insurance page.

About the author

Marc Rocker, Head of Cyber has been with Towergate for over 15 years advising commercial clients of all sizes on their business insurance needs.

As Head of Cyber Insurance, Marc has responsibility for ensuring that the advice and products that Towergate provides meet clients’ needs. Marc is a member of the British Insurance Brokers’ Association (BIBA) cyber technical committee.

Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.

[1] UK .gov.uk Cyber security breaches survey 2025, cyber crime.