Google quietly moved a practical, if imperfect, layer of ransomware defense out of beta and into everyone’s Drive settings this spring. If you use Drive to sync work files or personal documents across a desktop and the cloud, the new protections can stop bad encryption from spreading and help you roll back damage faster.
What changed
There are two pieces here: a detection engine that looks for signs of ransomware activity on a desktop endpoint, and a file restoration interface that helps you revert affected files to earlier, healthy versions. The AI that powers detection has been retrained since beta and, according to Google, now spots roughly 14x more infections than the earlier model did.
Detection and automatic responses happen in the Drive for desktop app on Windows and macOS. When Drive senses unusual activity that looks like ransomware, it pauses syncing to prevent newly encrypted files from overwriting clean cloud copies, then pops up alerts and sends emails to involved users and admins. Older Drive clients will still stop synchronizing but may not show the desktop notifications — so keeping Drive for desktop updated matters (you need version 114 or later to get full alerts).
Who actually gets the early warning?
Not everyone who uses Drive gets the full detection feature. File restoration — the ability to bulk-revert files to pre-infection versions — is broadly available, including personal accounts and most Workspace customers. The automated ransomware detection, which issues the desktop popups and admin alerts, is limited to specific Workspace tiers (Google lists Business and various Enterprise and education/Frontline plans among those that get detection). Admins control the settings from the Admin console and the features are enabled by default for supported accounts.
How it works, in plain English
- Drive watches file-change patterns and uses an AI model trained on millions of ransomware samples.
- If Drive for desktop detects suspicious encryption activity, it immediately pauses sync to the cloud.
- The affected user sees a desktop notification (Drive v114+). Admins get email and Admin console alerts.
- Once contained, users or admins can select multiple files and restore them in bulk to versions from before the incident.
- Update Drive for desktop to the latest version (v114 or newer) so you get the full notification experience.
- Check your Admin console under Apps > Google Workspace > Drive and Docs > Malware and Ransomware to see how policies are configured for your organization. Only admins can turn the detection on or off.
- Keep endpoint antivirus, OS and app updates current. Drive’s feature slows spread and enables recovery but won’t prevent a determined attacker from getting in.
- Train staff on the signs of ransomware and how to respond to Drive alerts — fast human action plus automated pausing is the best combo.
Google also says the detection engine pulls threat intelligence from sources like VirusTotal to keep adapting to new ransomware families, but it does not claim to be a silver bullet — the goal is damage control, not perfect prevention.
Practical advice for users and admins
If you rely on Drive, a few simple steps will make these protections more useful:
If you use a mix of Google services at work, it can help to keep up with other account hygiene features Google has been adding, like the ability to rename your Gmail address in some cases. And for people who use Google hardware and apps to keep tabs on devices, Google’s other product updates can be worth watching as the ecosystem grows more feature-rich, for example the Find Hub website that extends device-finding to the web.
A useful tool, with limits
This rollout matters because ransomware remains one of the fastest ways to create large, urgent incidents for organisations and individuals. Drive’s pause-and-restore approach reduces the blast radius and gives admins a way to recover without paying ransoms. Still, detection is not universal and relies on desktop clients, so it should be part of a layered defense, not the only line of protection.
Expect Google to refine the model and expand coverage over time. For now, update your client, talk to your admin, and make sure you — and your backups — are prepared.
