Ransomware attacks, in which online criminals block access to critical files until they’re paid to release them, are on the rise , security experts warn.

Last year, the Federal Bureau of Investigation’s Internet Crime Complaint Center saw 2,453 complaints about ransomware incidents that cost users a total of more than $1.6 million, according to the center’s annual report. The report cautions that many online attacks go unreported to law enforcement altogether, meaning total incidents and losses could be that much higher.

“And if the first three months of this year are any indication, the number of ransomware incidents—and the ensuing damage they cause—will grow even more in 2016 if individuals and organizations don’t prepare for these attacks in advance,” the FBI warned in late April. According to security firm Proofpoint, in 2015 ransomware represented three percent of sample infected emails, but five months into 2016, ransomware already represents 30 percent of samples.

“Never before in the history of humankind have people across the world been subjected to extortion on a massive scale as they are today,” security firm Symantec said in an August report on the subject.

Ransomware typically installs itself after a victim is tricked into clicking an attachment or link in a phishing email, or when a victim visits a hacked website running code that can exploit vulnerabilities in a local operating system. It either prevents the victim from logging in to the computer or encrypts files with a secret key known only to the attackers. Then, it presents a message demanding a ransom to restore access, typically to be paid with bitcoin or another digital money transfer tool.

Typical ransom demands are about $300, according to the Symantec report, but victims—including companies and government agencies—can often be induced to pay more for access to their data. Hollywood Presbyterian Hospital in Los Angeles paid more than $17,000 in bitcoin to end a ransomware attack in February, Reuters reports, and even some local police departments have found themselves paying ransoms to regain access to their files.

The attacks can be more disruptive than traditional cyberattacks focused on stealing information, since they can entirely prevent access to critical business data that isn’t properly backed up.