Ransomware attack on Windows 11 showing a hacker, encrypted files, padlock icon, and ransom message demanding cryptocurrency payment

What a Ransomware Infection Looks Like on Windows 11

Introduction: It Happens Faster Than You Think

In my years of working in IT, ransomware calls are among the worst you can receive. One minute everything is fine, and the next, someone is staring at a screen full of encrypted files and a demand for payment in cryptocurrency.

Most people understand the general concept — attackers encrypt your files and hold them hostage. But very few people know what it actually looks like while it is happening. That gap in awareness is exactly why ransomware continues to succeed.

This article walks you through what a typical ransomware infection looks like on a Windows 11 system — from the moment the malicious file is launched to the ransom note appearing on screen. The behaviour described here is based on controlled lab simulations designed to illustrate how ransomware commonly operates during a real attack.

How Ransomware Gets In

Before we talk about what happens during an infection, it is worth understanding how ransomware gets onto a system in the first place. Attackers don't need to be particularly sophisticated — they just need one mistake.

Phishing Emails

Phishing remains one of the most common entry points. Attackers send convincing emails that can look like fake invoices, overdue payment notices, shipping confirmations, or even job applications. These emails often include attachments such as .exe files disguised as PDFs, Office documents with malicious macros, or ZIP and ISO archives containing malware.

Opening the attachment — or enabling content inside the document — can immediately start the infection.

Fake Software Installers

Another common method involves trojanized software that looks completely legitimate. These may look like browser updates, PDF reader installers, or remote support tools. Attackers often replicate real branding, icons, and installer interfaces to earn your trust. Once launched, the program silently downloads and executes ransomware in the background while you think you are installing something useful.

Malicious Macros in Office Documents

Even with Microsoft's improved macro security policies, attackers still try to trick users into enabling macros. Documents may display messages like:

"Enable Content to view this secure document."

If macros are enabled, the document can download ransomware from a remote server, launch malicious scripts using PowerShell, or modify system settings to weaken security — all while appearing completely normal on screen.

Compromised Remote Desktop (RDP)

In business environments, poorly secured Remote Desktop services are a major target. Attackers may brute force weak passwords, use credentials from previous breaches, or log in remotely to exposed systems. Once in, they can disable security tools and manually deploy ransomware across the entire network. This is especially common in small businesses where RDP may be exposed directly to the internet without proper protections.

What the Infection Actually Looks Like

This is the part most people never see — the attack as it unfolds in real time.

Step 1 — The Malicious File is Launched

The attack often begins when a user runs a file that appears harmless. Think filenames like:

  • invoice_2026.pdf.exe
  • document_viewer_update.exe
  • scanned_image.jpg.scr

Once executed, most users notice very little at first. There may be a brief flash of a command window, a slight lag, or some increased disk activity. Ransomware is intentionally designed to stay quiet in the early stages. The less you notice, the more time it has to do damage.

Step 2 — Files Begin Encrypting Silently

After execution, ransomware starts scanning the system for valuable data — documents, photos, videos, databases, archives, and anything connected including network shares and external drives.

During this stage, ransomware may also:

  • Delete Windows shadow copies to prevent file recovery
  • Attempt to disable or bypass security software
  • Identify cloud-synced folders like OneDrive or Google Drive

You might start to notice folders rapidly refreshing, file extensions changing, or desktop icons repeatedly updating. By the time you realize something is wrong, a significant portion of your files may already be encrypted. Depending on how much data is on the system, this process can take anywhere from seconds to several minutes.

Step 3 — The Desktop Wallpaper Changes

Many ransomware families change the desktop wallpaper as a deliberate psychological move. It displays a warning message along the lines of:

"Your files have been locked. Follow the instructions to restore access."

This is designed to create immediate panic and force you to read the ransom instructions right away.

Step 4 — The Ransom Note Appears

Once encryption is complete, ransomware drops ransom notes in affected folders. Common filenames include README.txt, HOW_TO_RESTORE_FILES.html, or RECOVERY_INSTRUCTIONS.txt. These notes typically include a unique victim ID, instructions for contacting the attackers, cryptocurrency payment instructions, deadlines, and warnings against attempting recovery on your own.

Some variants also launch a full-screen popup that continuously displays the ransom demand so you cannot ignore it.

How Windows 11 Protects Against Ransomware

The good news is that Windows 11 includes several solid built-in protections — but they only work if they are properly configured and actually enabled.

Microsoft Defender Antivirus

Microsoft Defender has come a long way. I have written about this before — it is a legitimately strong antivirus solution for most users and organizations. It can detect known ransomware variants, use behaviour monitoring to flag suspicious file encryption activity, and block malicious scripts and downloads. Keeping Defender enabled and updated is one of the most important things you can do.

Controlled Folder Access

Controlled Folder Access is an underused feature that prevents unauthorized programs from modifying files in protected locations like Documents, Pictures, Videos, and the Desktop. If an unknown program tries to encrypt files in those folders, it can block the action entirely. It does require some initial configuration and may generate false positives, but it is well worth setting up.

Smart App Control

Smart App Control helps prevent malicious applications from running by blocking unknown executables, unsigned applications, and suspicious installers. One important caveat — Smart App Control is only available on fresh installs of Windows 11. If it was previously turned off, it cannot be re-enabled without reinstalling. Check your system settings to see if it is active.

OneDrive Version History

Cloud storage is not a replacement for backups, but OneDrive's version history can still be a useful safety net. You can restore previous versions of files or roll back entire folders. Keep in mind that the free plan limits version history to 30 days — so if an infection goes undetected for a while, that window may not be enough. Knowing this limitation ahead of time matters.

Why Ransomware Still Succeeds in 2026

Despite major improvements in operating system security, ransomware keeps working. The reasons are almost always the same:

  • Users opening phishing attachments
  • Security features that are disabled or misconfigured
  • Weak passwords or exposed RDP services
  • Lack of proper backups
  • Slow detection and response

Attackers only need one mistake. That is it. One employee clicking the wrong attachment can bring an entire organization to a standstill.

What To Do Immediately If You Suspect Ransomware

Speed matters. Quick action can significantly reduce the damage.

1. Disconnect from the Network

Isolate the device immediately. Unplug Ethernet cables and disable Wi-Fi. This helps prevent the ransomware from spreading to other systems and network resources.

If you are not part of an IT or security team, power the system off after disconnecting it from the network to stop further encryption. In business environments, IT professionals may choose to leave the system powered on temporarily for investigation purposes.

2. Decide Whether to Keep the System Powered On

For most home users and non-technical environments, shutting the system down after isolation is the safest option to immediately stop further damage.

In business environments, IT or security teams may choose to keep the system powered on temporarily to capture logs, analyze the attack, and preserve forensic evidence. This decision should only be made if the device is fully isolated and there is no risk of the infection spreading further.

3. Contact IT Support or Your MSP

Provide as much detail as you can — any emails you recently opened, files you downloaded or executed, when the issue started, and screenshots of any ransom messages you are seeing. Do not attempt to fix it yourself before contacting IT

4. Check Cloud Services

Review connected platforms like OneDrive, Google Drive, or Dropbox. Earlier versions of files may still be recoverable depending on when the infection occurred and how long version history is retained.

5. Investigate Other Systems

In a business environment, IT teams should immediately check file servers, NAS storage, backup systems, domain controllers, and RDP login activity. Early detection across the network can prevent widespread damage.

6. Avoid Paying the Ransom

This one is important. Avoid paying the ransom whenever possible. While some organizations consider payment as a last resort for business continuity, it carries significant risks — including no guarantee of recovery, additional extortion, and potential legal or regulatory implications.

Before considering payment, check nomoreransom.org — a free resource that provides decryption tools for a growing number of ransomware variants. It has helped many victims recover their files without paying a cent.

How to Prevent Future Infections

For Home Users

  • Enforce multi-factor authentication across all accounts
  • Keep Microsoft Defender enabled and updated
  • Avoid downloading unknown or pirated software
  • Enable OneDrive version history and understand its limitations
  • Maintain external backups that are not always connected
  • Think twice before enabling macros in Office documents

For Businesses

  • Enforce multi-factor authentication across all accounts
  • Restrict Office macros by policy
  • Use endpoint detection and response (EDR) tools
  • Segment your network so a single infection cannot spread everywhere
  • Maintain off-site and immutable backups
  • Apply software patches regularly and consistently
  • Ensure RDP is not exposed directly to the internet

The best recovery strategy after a confirmed ransomware attack is almost always to rebuild the affected system from scratch and restore from clean backups taken before the infection.

Final Thoughts

Ransomware attacks unfold much faster than most people expect. In my experience, the most common factor I see is not a technical failure — it is a moment of distraction. Someone opens the wrong attachment during a busy day, and that is all it takes.

Understanding what a ransomware infection looks like on Windows 11 — the early system behaviour, the silent file encryption, the wallpaper change, the ransom note — gives you a real chance to recognize it quickly and respond before the damage becomes irreversible.

Combine that awareness with proper security configurations, reliable backups, and good security habits, and you significantly reduce the chance that one mistake turns into a major disaster.

Because when it comes to ransomware, awareness is your first line of defence.