Block ransomware proliferation and easily restore files with AI in Google Drive

Ransomware remains one of the most damaging cyber threats facing organizations today. These attacks can lead to substantial financial losses, operational downtime, and data compromise, impacting organizations of all sizes and industries, including healthcare, retail, education, manufacturing, and government. In fact, intrusions related to ransomware represented 21% of all the intrusions observed by Mandiant last year, with an average ransomware or extortion incident cost exceeding $5M.

While native Workspace documents (e.g., Google Docs, Sheets) are not impacted by ransomware and ChromeOS has never had a ransomware attack, ransomware is a persistent threat for other file formats (e.g., PDF, Microsoft Office) and desktop operating systems (e.g., Microsoft Windows). That’s why we're enhancing Google Drive for desktop with AI-powered ransomware detection to automatically stop file syncing and allow users to easily restore files with a few clicks.

The traditional approach to fighting ransomware falls short

To date, ransomware has largely been treated as an antivirus (AV) issue: Seek out potentially malicious code before it’s activated and quarantine it. This is an important and necessary defense, but with the continued success of ransomware attacks over the last few years, it’s clear this approach is insufficient. Ransomware is no longer just an IT issue and has become increasingly disruptive for core business operations, such as manufacturing lines, retail operations, or hospital services. We believe that it’s paramount to find a better way to fight ransomware.

What we’re announcing today is an entirely new layer of defense. While AV solutions continue their work to stop ransomware from getting in, we’ve built the protections to stop it from being effective once it is, inevitably, through the door. Our AI-powered detection in Drive for desktop identifies the core signature of a ransomware attack — an attempt to encrypt or corrupt files en masse — and rapidly intervenes to put a protective bubble around a user’s files by stopping file syncing to the cloud before the ransomware can spread. This helps to stop ransomware from doing what it must to be most effective: corrupt important files and make them unusable.

In addition, the built-in virus detection in Drive, as well as in Gmail and Chrome, helps to prevent ransomware from spreading to other devices with the aim of taking over an entire network. As a result, these defenses can help organizations in industries such as healthcare, retail, education, manufacturing, and government from being disrupted by the types of ransomware attacks that have been so destructive up to this point.

How it works

Drive for desktop, available on Windows and macOS, is used to efficiently and securely sync user files and documents to the cloud. It can be also used as a critical line of defense against malware and ransomware attacks. With that in mind, we’ve built a specialized AI model, trained on millions of real-world ransomware samples, to look for signals that a file has been maliciously modified. The detection engine adapts to novel ransomware by continuously analyzing file changes and incorporating new threat intelligence from VirusTotal. When Drive detects unusual activity that suggests a ransomware attack, it automatically pauses syncing of affected files, helping to prevent widespread data corruption across an organization’s Drive and the disruption of work.

Users then receive an alert on their desktop and via email, guiding them to restore their files. Unlike traditional solutions that require complex re-imaging or costly third-party tools, the intuitive web interface in Drive allows users to easily restore multiple files to a previous, healthy state with just a few clicks. This rapid recovery capability helps to minimize user interruption and data loss, even when using traditional software such as Microsoft Windows and Office.

For IT teams, administrators maintain the visibility and control they need by receiving alerts in the Admin console for detected ransomware activity. Administrators can leverage the security center to review the audit log with detailed information. This new capability is on by default for all customers, but administrators have the controls to disable detection and restoration capabilities for end users, if needed. As a reminder, Google does not use customer data, including prompts and generated outputs, for advertising purposes or to train or fine-tune any of its generative AI models without customer permission or instruction.

“By seamlessly integrating AI-powered ransomware detection and restore capabilities into Drive, Google is helping organizations with an innovative way to avoid an increasingly common and increasingly dangerous threat while also giving end users the ability to continue working. This is great not only for Google Workspace users but individuals and companies who may use other office productivity suites as well” – Bob O'Donnell, President and Chief Analyst, TECHnalysis Research

Next steps

Starting today, this capability is rolling out in an open beta and is one of the many enterprise-grade security controls in Drive that provide robust protection of sensitive data and business continuity for organizations of all sizes. Ransomware detection, alerting, and file restoration capabilities are included in most Workspace commercial plans at no additional cost. Consumer users also benefit from the file restoration capability at no additional cost. Learn more about these new capabilities and download Drive for desktop today.