Google has moved its AI-powered ransomware detection for Drive out of beta and enabled it by default for paid customers, shifting cloud storage from a passive backup to an active containment point. First trialed in late 2025, the feature now scans files as they sync from desktop endpoints and pauses syncing when ransomware-like encryption is detected, alerting both users and admins and giving organizations a faster path to recovery.
Why this change matters
Ransomware continues to be one of the most disruptive threats for businesses and institutions. When cloud sync continues unchecked, encrypted files on an infected endpoint can overwrite clean cloud copies, multiplying the damage. By default-enabling detection for paying customers, Google reduces configuration friction and increases the chance that infections are noticed before critical cloud data is lostβturning Drive into a recovery-focused stopgap rather than a propagation vector.
How the detection works
When Drive for desktop is running, files being synced from a desktop are scanned by Googleβs AI models. If the system identifies patterns consistent with ransomware-encrypted files, Drive pauses syncing for that affected user. The user receives an email and an in-product notification; administrators see an alert in the Google Admin console. After containment, Google provides instructions and access to a Drive restoration tool that can roll back corrupted files so organizations can recover quickly.
What it doesβand doesnβtβprotect
What it protects: Cloud copies stored in Google Drive. Pausing sync prevents newly encrypted files from overwriting clean versions, preserving a recoverable state in the cloud.
What it doesnβt protect: The endpoint itself. The detection wonβt stop malware from encrypting files on the local machine; it only blocks those changes from being propagated to Drive.
Scope, availability, and admin controls
Google says the feature is enabled by default for organizations on paid Workspace plansβbusiness, enterprise, education, and frontline. The file restoration tool is available more broadly to Workspace customers, Workspace Individual subscribers, and users with personal Google accounts. Admins retain control: the ransomware detection setting can be turned off in the Admin console under Apps β Google Workspace β Settings for Drive and Docs β Malware and Ransomware.
Operational requirements and behavior
To receive full detection alerts and telemetry, endpoints should run Drive for desktop version 114 or later. Google notes that even older client versions will have syncing paused if ransomware-encrypted files are detected, but updating the client ensures the fastest, most informative alerts and better integration with admin tooling.
How Googleβs approach compares
Cloud providers have been adding similar recovery-focused features. Microsoftβs OneDrive offers ransomware detection and recovery for Microsoft 365 subscribers, and Dropbox provides comparable protections for certain business plans. Googleβs emphasis on an AI model that detects many more infection patternsβGoogle reports the latest model detects 14Γ more infections than during betaβaims to broaden coverage and speed up containment.
Practical steps for organizations
- Update Drive for desktop: Ensure endpoints are running v.114 or later to get the best alerts and telemetry.
- Treat Drive as a recovery component: Use Driveβs restoration tool in incident response playbooks and include cloud restores in tabletop exercises.
- Maintain layered backups: Donβt rely exclusively on cloud versioningβkeep offline or air-gapped backups for catastrophic scenarios.
- Harden endpoints: Combine cloud protections with strong endpoint detection and response (EDR), timely patching, and least-privilege access controls.
- Prepare admin workflows: Configure Admin console alerts and decide whether to keep detection enabled by default or to manage it centrally.
- Train users: Teach staff to report Drive alerts immediately and avoid actions that could complicate recovery.
The bottom line
By default-enabling AI-driven ransomware detection for paid users, Google reduces a key operational gap: getting timely containment without manual configuration. The feature wonβt replace endpoint security or traditional backups, but it makes Drive a more reliable safety netβhelping organizations detect infections sooner and restore data faster when ransomware strikes.
Licensed under CC BY-ND 4.0 International
Lovable AI App Builder Reportedly Exposes Thousands of Projectsβ Source Code and Customer Data
A critical Broken Object Level Authorization (BOLA) vulnerability in Lovable, an AI-poweredβ¦
New RDP Alert After April 2026 Security Update Warns of Unknown Connections
Microsoftβs April 2026 Patch Tuesday introduced a small-looking but important change toβ¦
Recently Leaked Windows Zero-Days Now Being Actively Exploited: What You Need to Know
Threat actors have begun abusing three recently disclosed Windows vulnerabilities to escalateβ¦
RedSun: New Microsoft Defender Zero-Day Lets Unprivileged Users Gain SYSTEM Access
A freshly disclosed zero-day vulnerability in Microsoft Defender, dubbed "RedSun," has raisedβ¦