Ransomware Detection in Google Drive (workspace.google.com)

Google is rolling out an AI-powered ransomware detection and recovery feature in Drive for desktop (Windows and macOS) that automatically pauses file syncing when it detects mass file encryption or other ransomware-like activity and guides users to restore affected files to a prior healthy state. The feature is designed as a new layer of defense that complements traditional antivirus tools by limiting ransomware’s ability to propagate through cloud sync—helping organizations avoid widespread data corruption, downtime, and costly recovery efforts. It’s available in open beta, included in most Workspace commercial plans, and file restoration is free for consumer users. Under the hood, Drive uses a specialized machine-learning model trained on millions of real-world ransomware samples and continuously enriched with VirusTotal threat intelligence to identify anomalous file-change patterns (the signature of mass encryption). When suspicious activity is found, Drive pauses syncing for impacted files, alerts users and admins (with logs and alerts in the Admin console), and exposes an intuitive web UI to roll back multiple files quickly—avoiding complex re-imaging or third-party tooling. Administrators retain control to disable detection or restoration if desired. Google also reiterates it won’t use customer data for ads or to train generative models without permission.