Google brings AI-powered ransomware defense to Drive for Desktop
It could stop attacks midstream, pausing file syncing after only a few corrupted files and letting you roll everything back to safety in a few clicks.
Ransomware has become one of the costliest cybersecurity problems of the past decade. In 2024, Google’s security arm Mandiant reported that 21% of the intrusions it investigated were ransomware-related, with the average incident costing more than $5 million.
To tackle the threat, Google is giving Drive for Desktop a capability most antivirus tools can’t match: stopping an attack while it’s happening, not after the damage is done.
The idea seems pretty straightforward. If you can’t guarantee ransomware won’t get in, make sure it can’t spread once it does. Drive for Desktop now doubles as a live security system, powered by an AI model trained on millions of ransomware samples. It looks for signs such as mass file encryption or sudden bursts of rapid changes. When it spots a pattern, usually after three to five corrupted files, it pauses syncing to the cloud and contains the damage.
This could mark a shift from traditional antivirus software, which focuses on keeping attackers out. Google’s approach works more like a smoke alarm that locks down the exits once the fire has started. Since Google Docs and Sheets are mostly immune to ransomware, the system seems really designed to protect weaker files such as PDFs, Word documents, CAD drawings, and spreadsheets synced from Windows or macOS.
Google says recovery is built in as well. Instead of wiping your machine, digging through backups, or waiting for IT support, Drive sends a desktop notification and an email. With just a few clicks, files can be restored to the state they were in moments before the attack.
Admins get visibility too. Alerts appear in the Workspace console, with logs of everything that happened. The feature is switched on by default for most commercial Workspace plans.
Like every innovation, it’s not flawless. Google admits false alarms are possible, especially for developers or power users running encryption-heavy workloads. But the company argues it’s better to interrupt a suspicious process than risk shutting down an entire hospital wing or school system.
The ransomware detection and recovery feature is rolling out in open beta starting today.
