Ransomware & Extortion

Tired eyes? Hit play.

Lesson 10 - Ransomware & Extortion

How it works: Ransomware is malware that encrypts your files and demands crypto to unlock them. Modern crews also steal copies first (“double extortion”) and threaten to leak. Entry paths are ordinary: a fake invoice attachment, a browser drive-by, a remote desktop with weak password, or a trojanized update. Once inside, the program scrambles documents, photos, and network shares, drops a ransom note, and may delete local snapshots so you can’t roll back. Paying doesn’t guarantee a clean decryptor—or that they won’t come back.

Spot it

  • Files suddenly get new extensions; folders fill with identical ransom notes.
  • A lock screen appears; shadow copies/backups disappear; CPU spikes while you’re idle.
  • Network shares become unreadable; security tools or updates are mysteriously disabled.

What to do

  • Isolate immediately: disconnect Wi-Fi/ethernet; if encryption is actively running and you hear the drive churning, power off to stop the process.
  • From a clean device, change passwords for critical accounts; enable app-based 2FA; revoke any API keys.
  • Do not pay on impulse. Consult pros; preserve evidence (notes, filenames, logs). Restore from offline backups.
  • After recovery: patch systems, remove unused remote access, and keep one backup that is offline/immutable.

How It Plays Out

The email looks harmless—your name, a polite line about a missed invoice, a PDF icon that clicks with a little thrill of productivity. The file opens to nothing. You shrug and get back to work. Ten minutes later, the filenames in your projects folder gain a second tail—.fin.lock. Photos won’t open. A window blooms across your desktop like a stage curtain: “We have encrypted your files. Pay 0.8 BTC in 72 hours to receive the key. We have also copied your data.”

Panic arrives in two acts. First, you try to make it go away—close the window, reboot, click the note as if it were a pop-up. Every minute, more folders convert to gibberish. Second, you remember the backup—a small drive that has been plugged in since winter. You open it. It’s encrypted too. Connected backups are just additional hard drives to a program that can’t tell a safety net from a target.

You do the unglamorous thing that works: you pull the network. The chattering stops. On a separate laptop that has never met this USB stick or this Wi-Fi, you change the passwords that matter—email, bank, exchanges—and print the recovery codes you meant to print last summer. Then you find the backup you forgot to brag about: the one in the closet that you make once a month and never leave connected. It’s dusty, which means it’s pure.

Recovery feels like sweeping glass. You wipe the machine and reinstall. You restore only what you need. You resist the urge to import your whole digital attic. You skip the shady PDF reader you used once because a tutorial told you to. You let the OS update itself three times. You buy an offline backup drive that your future self will thank you for, set a calendar reminder, and learn the boring rhythm that beats theater: three copies, two types of media, one offline.

Pocket anchors: Backups that are offline and tested beat ransoms you regret. If encryption is running, pull the network (and power if needed). Rebuild on clean ground; fix the doors, then the windows.