The Google Admin Bootcamp

Master the Google Admin Console

Manage your
users, data, and devices

using the Google Admin Console

🍂 Registration for the FALL admin bootcamp is open! 🍂

Ransomware detection for Drive

October 14, 2025 by John R. Sowash

A ransomware attack is an IT admin’s worst nightmare. Losing access to critical files and systems is a frightening thought. Sadly, it’s a reality that more than a few districts have faced. 

Google is stepping up its ability to detect ransomware attacks and restore files that have been encrypted by bad actors. 

Before we dive in, here’s a quick and important reminder: Native Google files (like Docs, Sheets, and Slides) are NOT susceptible to ransomware attacks! That’s one of the built-in superpowers of the Google ecosystem.

However, other file types (like PDFs, JPEGs, and Office files) stored on desktop operating systems (Windows or Mac) and synced via Drive for desktop can still be vulnerable.

The good news is that Google is stepping up its game with a new AI-powered security layer for Google Drive for desktop. Here’s how it works. 

Related Post: Protecting students from phishing attacks

Two key features (and who gets them)

This update actually includes two distinct, but related, features, and their availability depends on your school’s Google Workspace edition:

1. File restoration (The “easy recovery” button)

  • What it does: Allows users to easily restore multiple corrupted files to a previous, healthy state with just a few clicks. This is a huge, time-saving feature that helps minimize data loss.
  • Who gets it?: ALL Google Workspace customers (including Education Fundamentals)

2. Ransomware detection (the proactive AI)

  • What it does: This is the AI that automatically pauses syncing when unusual activity is detected, sends alerts to the desktop, and creates an alert in the Admin console.
  • Who gets it?: Education Standard and Education Plus domains only.

BONUS Tip: every district has a handful of users who refuse to migrate to using Docs, Slides, Sheets, etc. You can install and configure the Drive for Desktop client for these users to backup and protect their native Windows files via Google Drive.

How the Tool Works

  • Detection and Sync Pause (Standard/Plus only): Google Drive for desktop uses smart AI to look for signs that a file is being maliciously modified or encrypted in bulk. When it spots this unusual activity, Drive automatically pauses syncing of the affected files to the cloud. This fast action helps prevent the ransomware from corrupting data across your organization’s Drive.
  • Easy File Restoration (Everyone!): The ability to select and restore multiple files to a previous, healthy state with just a few clicks is available for all of your staff and students. Note: Drive for desktop stores old versions of files for up to 25 days, so recovery should be performed within that time frame.

Action Items for Admins

  • Required App Version: For users to see the desktop alerts (and for the detection/sync-pause to be most effective), they will need the latest version of Drive for desktop (v. 114 or later) installed on their Windows or macOS computers.
  • Admin Control: Admins can manage ransomware detection policies from the admin console by navigating to Apps > Google Workspace > Settings for Drive and Docs > Malware and Ransomware.

This new AI defense is an important layer of protection that limits the damage of attacks and provides a straightforward way for staff to recover their files.

Learn more about this topic: 

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *