Google has officially announced that the AI-powered Google Drive ransomware detection feature is now widely available and has been set to active by default for all paying users.
This functionality, which was initially revealed in September 2025, began its beta phase in early October, gradually being rolled out to Google Workspace customers around the globe. Once activated, Google Drive will automatically pause file syncing upon detecting a ransomware attack, thereby alerting users and IT administrators to the incident and significantly reducing the potential damage from such threats.
While this feature may not stop files being encrypted on an affected computer, those documents stored on Google Drive will remain protected and can be swiftly restored after the malware has been neutralized. Following a ransomware event, detailed instructions for restoring compromised files will be provided to users through the Drive restoration tool, allowing for the reversal of changes made by the ransomware.
Google states, “When ransomware detection is on, files are scanned for ransomware when they are synced from a desktop computer to Drive. If ransomware-encrypted files are found, desktop sync is paused. The affected user gets an email alert and is notified in Drive, and an alert is created in the Google Admin console.”
Improvements have been made since the feature’s beta version, enabling detection of a broader range of ransomware encryption types and enhancing speed. The latest AI model is now capable of identifying 14x more infections, which results in substantially greater protective measures.
This feature is automatically enabled for all users within organizations holding business, enterprise, education, and frontline licenses. Meanwhile, the file restoration capability is accessible to all Google Workspace customers, individual Workspace subscribers, and personal Google account users.
Although the feature is enabled by default, administrators have the option to disable it for their organizations through the Admin console under Apps > Google Workspace > Settings for Drive and Docs > Malware and Ransomware. Additionally, admins will need to install the latest version of Google Drive for desktop (v.114 or later) across all endpoints to activate detection notifications, though file syncing will continue to be paused on older versions.
Similar to Google, Microsoft offers a comparable service with its OneDrive ransomware detection and recovery feature for Microsoft 365 subscribers, and Dropbox provides this functionality to customers on Business Plus, Advanced, or Enterprise plans, as well as standard plans that come with a security add-on.
Share this story