Google wants to nip ransomware in the bud.
In an announcement on Sept. 30, the company unveiled an AI-powered detection for its cloud-storage platform Drive. The new feature notices file changes that reek of ransomware—like lots of rapid encryption or a sudden change in extensions (for example, from .doc to locked)—and immediately stops file-syncing between a machine and Drive.
The company believes its mechanism serves a valuable place between anti-malware options that detect ransomware in the opening phases of an attack and backup options that restore ransomware files in the latter phases.
“We want to lay a trap for attackers right after the attack starts,” Luke Camery, lead group product manager for Google Workspace, said during a Sept. 24 news briefing in advance of the announcement.
How it works. According to Google’s post, a Drive-integrated AI model, trained on millions of real-world ransomware samples, looks for “signals that a file has been maliciously modified.” Upon detection, Drive automatically pauses syncing of affected files; for the feature to work, users need to enable file syncing so that Google Drive for Desktop has visibility into all incoming file changes, Ross Richendrfer, head of security and privacy PR at Google Workspace, shared in an email response to IT Brew.
Then, a user receives a desktop or email alert to restore files.
During the September 24 product briefing, Camery said the feature doesn’t try to determine if you’re actively infected with ransomware. The “decision point” for the mechanism begins with the question: Are the changes being made to files demonstrating normal collaboration, or a destructive action?
“The clear pattern for every successful ransomware attack that makes big headlines is it bypasses antivirus protections, and then it spreads user by user, causing as much damage as possible, until the entire network topples over and there's nothing to stop it. Once it starts, you’re just left to clean up the mess afterwards. And so that’s exactly what we set out to fix,” he said on the call.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Extortion over encryption. Google’s feature announcement arrives as ransomware actors seem to be dropping encryption as their go-to tool. The State of Ransomware report from cybersecurity company Sophos, pulling responses from 3,400 global IT leaders between January and March 2025, reported data encryption dealt by ransomware actors “at its lowest level in six years.” Half of attacks, according to the study, resulted in encryption in 2025—down from 70% the previous year. The dip in attacker-led encryption, to Sophos, suggests “organizations are more capable of stopping attacks before the encrypted payload is deployed,” but the report did not elaborate on specific improved defenses.
Threat-management company Searchlight Cyber, in a report released on Sept. 25, found that ransomware groups listed 3,734 victims on extortion sites during H1 2025—“an increase of 20 percent compared to the second half of 2024 and a 67 percent increase on the same time frame last year.”
“Ransomware groups have identified that the effectiveness of encrypting a victim’s content is no longer as effective as it once was. Improved backup and restoration capabilities are having an impact on the battle,” Luke Donovan, head of threat intelligence at Searchlight, told Help Net Security on Sept. 26.
Clean and mean. Gerald Auger, adjunct faculty at military college The Citadel and president of consulting firm Coastal Information Security Group, sees Google’s mechanism aimed at end users protecting files such as documentation, spreadsheets, PDFs, and marketing kits; it’s unlikely, for example, that an IT pro would sync a database server to Drive, he said.
Stopping the sync is a “pretty clean little solution” for halting ransomware before it can cause real damage, Auger said, except for one IT task to tidy up: “You still have to clean the machine.”
Camery said the feature (barring any needed additions) will be generally available by the end of the year, and the capability, rolling out in beta, will be available to Business Standard and above customers for free.