Google has announced that its AI-powered ransomware detection feature for Google Drive has reached general availability (GA) and is now enabled by default for all paying Google Workspace subscribers. The feature, previously in preview, uses machine learning to detect ransomware-like activity — such as mass file encryption or bulk replacement of files with encrypted versions — and can alert administrators and potentially halt the spread of an attack before widespread damage occurs.
What the Feature Does
Google Drive's ransomware detection works by analysing file activity patterns across a user's Drive storage. When the AI model identifies behaviour consistent with ransomware — such as:
- Rapid bulk file modification replacing normal files with encrypted equivalents
- Unusual file extension changes across large numbers of files simultaneously
- Destruction of file metadata consistent with encryption staging
- High-volume file deletion followed by re-upload patterns used by some ransomware strains
— it flags the activity for review and can trigger automated alerts to administrators via the Google Workspace Admin console.
The feature leverages the same machine learning infrastructure Google uses for spam, phishing, and malware detection in Gmail and Chrome Safe Browsing, adapted to the behavioural patterns specific to ransomware operating within cloud storage environments.
Why This Matters
Ransomware groups have increasingly targeted cloud storage as an additional attack surface:
- Some ransomware families are Cloud Drive-aware and can encrypt files synced via desktop clients such as Google Drive for Desktop, Dropbox, or OneDrive — with the encrypted versions propagating back to the cloud
- Business Email Compromise (BEC) combined with Drive access can give attackers the ability to exfiltrate and then ransom cloud-stored documents
- Insider threat and credential theft scenarios may involve an attacker with legitimate Drive access conducting destructive file operations
By detecting these patterns at the cloud layer, Google can provide a safety net that is independent of whether the endpoint is compromised or the local security tooling has been disabled — a common ransomware tactic to eliminate recovery options before detonating the payload.
Availability
| Tier | Status |
|---|---|
| Google Workspace Business Starter | Enabled by default |
| Google Workspace Business Standard | Enabled by default |
| Google Workspace Business Plus | Enabled by default |
| Google Workspace Enterprise (all tiers) | Enabled by default |
| Google Drive (free / personal) | Not included |
The feature is not available on free personal Google accounts — it is exclusive to paid Workspace subscribers.
How Administrators Can Configure It
Workspace administrators can manage the feature from the Admin console:
Admin console → Security → Alert centre → Ransomware activity detected
Administrators can:
- Configure email and push notification alerts when ransomware activity is detected
- Review flagged activity logs showing which files were affected and which user account triggered the detection
- Restore files to a pre-attack state using Drive's built-in version history if a genuine ransomware event is confirmed
- Set response policies — such as automatically suspending a user account flagged for ransomware activity pending review
Limitations
Google Drive ransomware detection is designed as a cloud-layer safety net, not a complete ransomware defence:
- It operates on files already in Google Drive — it does not protect local files on endpoints
- Encrypted files synced from a compromised endpoint may be partially or fully propagated before the detection triggers
- The feature is reactive to patterns within Drive — it does not prevent ransomware execution on the device
- False positives are possible — legitimate bulk file processing (e.g. batch conversion workflows) may trigger alerts
Workspace administrators should treat this as one layer in a defence-in-depth approach, combined with endpoint protection, privileged access management, and regular offline backups.
Context: Ransomware and Cloud Storage
The expansion of AI-driven ransomware detection to cloud storage reflects a broader security industry trend. Microsoft has offered ransomware detection and recovery in OneDrive since 2018, and various third-party DLP (Data Loss Prevention) solutions have offered cloud storage monitoring for years. Google's move to make this a default-enabled, GA feature for Workspace users narrows the gap.
With ransomware remaining the dominant cyber threat facing organisations in 2026 — responsible for billions in damages and affecting thousands of companies across every sector — automated detection at the cloud layer represents a meaningful, low-friction defence that requires no action from end users to benefit from.
Source: BleepingComputer — April 1, 2026