Google Drive - Detects Ransomware and Restores Files, Enhanced Features Now Available
Google Drive can now spot ransomware, which is a type of malware that locks your files and demands money to unlock them. If it finds ransomware, it will stop syncing your files to the cloud so that the bad files don't overwrite your good ones. Plus, if your files do get locked, you can easily get them back to how they were before without paying the ransom. This makes it much safer to use Google Drive for storing important documents.
Google Drive's ransomware detection and file restoration features are now generally available, offering enhanced protection against malware attacks with improved AI capabilities.
Introduction
Google has officially rolled out its ransomware detection and file restoration features for Google Drive, transitioning from beta to general availability. Originally introduced in September 2025, these enhancements are designed to bolster defenses against malware attacks targeting both local machines and cloud synchronization.
How It Works
The updated artificial intelligence model now detects 14 times more ransomware infections compared to the beta version, significantly improving the speed and breadth of detection. The ransomware detection feature, which operates through the Google Drive for desktop application, automatically pauses file synchronization when ransomware behavior is detected on a local endpoint. This proactive measure prevents newly encrypted files from being uploaded to Google Workspace, safeguarding healthy cloud data from being overwritten.
Who's Being Targeted
Users must ensure they are running Google Drive for desktop version 114 or later to receive real-time alerts during an incident. Older versions will still halt synchronization but will not provide desktop notifications. Upon detection, both affected users and domain administrators receive immediate notifications via email, ensuring that security teams can respond swiftly.
Signs of Infection
The newly introduced file restoration interface allows users to recover multiple compromised files efficiently, reverting them to their pre-infection versions. This capability not only accelerates incident recovery times but also provides a reliable mechanism to restore access without succumbing to extortion demands.
How to Protect Yourself
Google reports that thousands of users have successfully tested these recovery tools during the beta phase, demonstrating their scalability and reliability in real-world scenarios. Both ransomware detection and file restoration features are enabled by default for organizations, with administrators having the ability to manage these settings at the Organizational Unit level in the Google Workspace Admin console. Availability of these features varies based on the specific Google account type and licensing tier, with file restoration accessible to all Google Workspace customers, individual subscribers, and personal Google accounts, while ransomware detection is supported for Business Standard and Plus editions, as well as various education and enterprise tiers.