Google has moved its AI-powered ransomware detection for Drive out of beta and enabled it by default for paid customers, shifting cloud storage from a passive backup to an active containment point. First trialed in late 2025, the feature now scans files as they sync from desktop endpoints and pauses syncing when ransomware-like encryption is detected, alerting both users and admins and giving organizations a faster path to recovery.
Why this change matters
Ransomware continues to be one of the most disruptive threats for businesses and institutions. When cloud sync continues unchecked, encrypted files on an infected endpoint can overwrite clean cloud copies, multiplying the damage. By default-enabling detection for paying customers, Google reduces configuration friction and increases the chance that infections are noticed before critical cloud data is lost—turning Drive into a recovery-focused stopgap rather than a propagation vector.
How the detection works
When Drive for desktop is running, files being synced from a desktop are scanned by Google’s AI models. If the system identifies patterns consistent with ransomware-encrypted files, Drive pauses syncing for that affected user. The user receives an email and an in-product notification; administrators see an alert in the Google Admin console. After containment, Google provides instructions and access to a Drive restoration tool that can roll back corrupted files so organizations can recover quickly.
What it does—and doesn’t—protect
What it protects: Cloud copies stored in Google Drive. Pausing sync prevents newly encrypted files from overwriting clean versions, preserving a recoverable state in the cloud.
What it doesn’t protect: The endpoint itself. The detection won’t stop malware from encrypting files on the local machine; it only blocks those changes from being propagated to Drive.
Scope, availability, and admin controls
Google says the feature is enabled by default for organizations on paid Workspace plans—business, enterprise, education, and frontline. The file restoration tool is available more broadly to Workspace customers, Workspace Individual subscribers, and users with personal Google accounts. Admins retain control: the ransomware detection setting can be turned off in the Admin console under Apps → Google Workspace → Settings for Drive and Docs → Malware and Ransomware.
Operational requirements and behavior
To receive full detection alerts and telemetry, endpoints should run Drive for desktop version 114 or later. Google notes that even older client versions will have syncing paused if ransomware-encrypted files are detected, but updating the client ensures the fastest, most informative alerts and better integration with admin tooling.
How Google’s approach compares
Cloud providers have been adding similar recovery-focused features. Microsoft’s OneDrive offers ransomware detection and recovery for Microsoft 365 subscribers, and Dropbox provides comparable protections for certain business plans. Google’s emphasis on an AI model that detects many more infection patterns—Google reports the latest model detects 14× more infections than during beta—aims to broaden coverage and speed up containment.
Practical steps for organizations
- Update Drive for desktop: Ensure endpoints are running v.114 or later to get the best alerts and telemetry.
- Treat Drive as a recovery component: Use Drive’s restoration tool in incident response playbooks and include cloud restores in tabletop exercises.
- Maintain layered backups: Don’t rely exclusively on cloud versioning—keep offline or air-gapped backups for catastrophic scenarios.
- Harden endpoints: Combine cloud protections with strong endpoint detection and response (EDR), timely patching, and least-privilege access controls.
- Prepare admin workflows: Configure Admin console alerts and decide whether to keep detection enabled by default or to manage it centrally.
- Train users: Teach staff to report Drive alerts immediately and avoid actions that could complicate recovery.
The bottom line
By default-enabling AI-driven ransomware detection for paid users, Google reduces a key operational gap: getting timely containment without manual configuration. The feature won’t replace endpoint security or traditional backups, but it makes Drive a more reliable safety net—helping organizations detect infections sooner and restore data faster when ransomware strikes.
Licensed under CC BY-ND 4.0 International
PNG parsing flaws in libpng let attackers crash processes, leak data, and risk code execution
Two high-severity vulnerabilities discovered in libpng—the widely used reference library for reading…
Hackers Weaponize Legitimate Windows Tools to Kill Antivirus — What Defenders Must Do Now
Ransomware gangs have evolved from noisy mass campaigns into precise, surgical operators.…
Notepad++ v8.9.3 Released — cURL Fixes, Crash Repairs, and Enterprise Controls
Notepad++ has shipped version 8.9.3, a maintenance-focused release that closes a notable…
Firefox 149 Ships: Patches for 37 Vulnerabilities, Including Multiple Sandbox Escapes
Mozilla released Firefox 149 on March 24, 2026, in one of the…