Protect.Computer
NEWS

Google Drive ransomware detection is now generally available for Workspace tiers

· 1 min read · Data hijack Backup recovery
Google Drive ransomware detection is now generally available for Workspace tiers

Photo by protect.computer on protect.computer

What happened

Google announced that ransomware detection and bulk file restoration in Google Drive for desktop are now generally available, after a beta period.

According to Google, the newer detection model can identify significantly more ransomware-encrypted activity than the beta version. When triggered, Drive sync is paused and both the user and admin are alerted.

Why this matters

For organizations using Drive for desktop, this improves the odds of catching ransomware behavior before encrypted files continue syncing and propagating damage.

The protection is not universal across every SKU, so teams should verify whether their edition includes detection and whether endpoints are on supported Drive versions.

How to check if you’re affected

Potentially affected environments:

  • Organizations relying on Google Drive for desktop as part of daily file workflows.
  • Endpoints where local ransomware could encrypt files before cloud controls detect it.
  • Admin teams that have not reviewed Drive malware/ransomware policy settings recently.

Verification steps:

  1. In Google Admin Console, confirm ransomware detection and file restoration settings are enabled for the relevant OUs.
  2. Confirm Drive for desktop versions are current on managed endpoints.
  3. Validate alert routing so security/admin teams receive ransomware detection notifications.
  4. Test restoration workflow in a controlled environment so help desk and IR teams can execute quickly during an incident.

Immediate defensive actions

  • Keep endpoint EDR active; cloud-side sync protection is not a replacement for endpoint prevention.
  • Ensure offline/immutable backups exist for high-value data outside the sync path.
  • Document a short runbook for Drive detection alerts (triage, isolate endpoint, restore files, rotate creds if needed).

Sources

Bottom line

If your org uses Drive for desktop, treat this as a useful extra safety layer—not full ransomware protection. Confirm policy coverage, endpoint versioning, alerting, and recovery drills now, before an incident forces you to improvise.

Related reading

News
Marquis Software breach impacts 672,000+ people at U.S. financial institutions

Bank software vendor Marquis Software says a 2025 ransomware incident exposed personal and financial data tied to customers of dozens of institutions.

News
AI-generated Slopoly malware deployed in Interlock ransomware attacks

Researchers say a likely AI-generated Slopoly backdoor helped ransomware operators maintain persistence and steal data in Interlock-linked intrusions.

News
England Hockey investigates AiLock ransomware claim

England Hockey says it is investigating after the AiLock ransomware gang claimed to steal 129GB of data.

News
DOJ alleges incident responder colluded with BlackCat during ransom negotiations

U.S. prosecutors say a ransomware incident responder secretly helped ALPHV/BlackCat maximize victim payouts while assigned to support those same victims.