diff --git a/docs/content/reference/ransomware.md b/docs/content/reference/ransomware.md
index 7efe56e1a..6e6f614d7 100644
--- a/docs/content/reference/ransomware.md
+++ b/docs/content/reference/ransomware.md
@@ -16,6 +16,16 @@ If no directory is specified, no files will be encrypted.
 
 <!-- add config screenshot here -->
 
+## How are the files encrypted?
+
+Files are "encrypted" in place with a simple bit flip. Encrypted files are renamed to have
+`.m0nk3y` appended to their names.
+
+This is a safe way to simulate encryption since it is easy to "decrypt" your files. You can simply perform a bit flip on the files again and rename them to remove the appended `.m0nk3y` extension.
+
+This is sufficient for a ransomware simulation as your files are unusuable and are renamed with a different extension, similar to how many ransomwares act. These changes should trigger your security solutions.
+
+
 ## Which files are encrypted?
 
 All regular files with [relevant extensions](#relevant-file-extensions-for-encryption) in the
@@ -27,14 +37,6 @@ configured directory — only appropriate files in the top level of the tree.
 Symlinks and shortcuts are ignored.
 
 
-## How are the files encrypted?
-
-Files are "encrypted" in place with a simple bit flip. Encrypted files are renamed to have
-`.m0nk3y` appended to their names.
-
-To "decrypt" your files, you can simply perform a bit flip on them again.
-
-
 ## Relevant file extensions for encryption
 
 Encryption attempts are only performed on regular files with the following extensions.