New Google Drive for Desktop feature targets ransomware with AI

The new feature aims to automatically spot suspicious activity, stop the attack from spreading, and make it easier for users to restore their files.

Ransomware remains one of the toughest cybersecurity problems for businesses. These attacks can bring down hospitals, factories, schools, and government offices, locking critical data and disrupting operations for days. Mandiant, part of Google Cloud, found that ransomware accounted for 21% of all intrusions it investigated in 2024, with each incident costing organizations an average of over US$5 million.

In Asia Pacific and Japan, most companies don't spot these intrusions themselves. Mandiant's investigations showed that 89% of affected organizations only learned about the attack from external sources, such as law enforcement or the attackers. By the time the ransom note arrives, the damage is often done.

While Google's own ecosystem is more resistant to such threats—ChromeOS has never experienced a ransomware attack, and native Google Docs and Sheets files are not affected—other file formats and operating systems remain exposed. PDF and Microsoft Office files on Windows and macOS are common targets.

To address this gap, Google is introducing AI-powered ransomware detection and recovery in Google Drive for Desktop. The feature aims to automatically spot suspicious activity, stop the attack from spreading, and make it easier for users to restore their files.

Rethinking how to fight ransomware

Traditional antivirus software tries to stop ransomware at the door by scanning for malicious code. That helps, but attackers have become skilled at evading these defenses. Once new ransomware slips past antivirus protection, there's often little to stop it from encrypting valuable files.

"What we're unveiling and making available today is an entirely new layer of defense," said Hana Raja, Country Manager, Malaysia, Google Cloud. "While antivirus solutions continue their work to stop ransomware from getting in, we've built the protections to stop it from being effective once it is inevitably through the door."

Google Drive for Desktop's new AI feature detects unusual file activity that signals mass encryption attempts—the hallmark of ransomware. When detected, it pauses syncing to the cloud, creating a kind of "protective bubble" to keep the malware from corrupting more files. Existing malware defenses in Google Drive also help contain the threat and keep it from spreading to other devices.

How the AI model works

Google trained its ransomware detection model using millions of real-world samples. Luke Camery, Product Manager for Security and Compliance in Google Workspace, said the team pulled data from several sources, including consumer Drive incidents, Mandiant investigations, and VirusTotal's cross-industry datasets. They made sure the model could interpret a wide range of file types, from PDFs and Office files to CAD files.

"The model is designed to be self-healing," Camery explained. "We don't need to manually feed it new samples. Once the world gets its hands on it, we expect it to rapidly improve beyond what we saw in the training corpus."

When Drive detects suspicious activity, syncing is paused automatically. Users receive alerts on their desktop and by email, guiding them to restore affected files. Camery said the system usually kicks in after three to four files have been modified. "Given how high our precision is at this point, I wouldn't expect to lose more than five files," he said. Restoring them can usually be done within seconds through Drive's web interface.

For administrators, alerts are sent through the Admin console, and detailed logs are available for review. The feature is turned on by default for most Workspace customers but can be adjusted by IT teams if needed.

Balancing detection with backup strategies

The restoration feature also reduces the need for some traditional backup systems. "We do want to help reduce reliance on third-party and external backups because storage costs are rising," Camery said. Drive stores up to 100 file revisions, and Google continues to offer APIs for integrating with other backup solutions. Many organizations still use external backups for compliance or disaster recovery, and Google expects that to continue.

Camery added that while the company hasn't partnered with Microsoft or Apple on detection technology, it has worked closely with them at the system level to integrate Drive for Desktop and detect changes quickly.

Available in open beta

The AI-powered ransomware detection and recovery feature is now rolling out in open beta and is included in most Google Workspace commercial plans at no extra cost. Consumer users also get access to the file restoration capability.

By combining early detection with fast recovery, Google hopes to help businesses minimize the damage from ransomware without adding complexity to their security setups.