Google has rolled out AI-powered ransomware detection and file restoration features in Drive for desktop, Google’s official file syncing and access app for Windows and macOS.
Currently in open beta, this new layer of defense is not meant to stop traditional ransomware that encrypts files on disk, but to counteract its corruption.
From detection to rollback
“Our AI-powered detection in Drive for desktop identifies the core signature of a ransomware attack — an attempt to encrypt or corrupt files en masse — and rapidly intervenes to put a protective bubble around a user’s files by stopping file syncing to the cloud before the ransomware can spread,” Luke Camery and Kristina Behr, product leaders for Google Drive, Docs, and Workspace, explained.
The model powering the features has professedly been trained on millions of real-world ransomware samples, and the detection engine adapts to spot novel ransomware through file change analysis and by incorporating new threat intelligence from VirusTotal.
“When Drive detects unusual activity that suggests a ransomware attack, it automatically pauses syncing of affected files, helping to prevent widespread data corruption across an organization’s Drive and the disruption of work. Users then receive an alert on their desktop and via email, guiding them to restore their files,” Luke Camery and Kristina Behr, product leaders for Google Drive, Docs, and Workspace, explained.
The alert end users see when ransomware is detected (Source: Google)
The ransomware infection has to be cleared up first, but once that’s done, they can easily restore multiple files to a previous, healthy state through Drive’s web interface.
Of course, when ransomware action is detected on a system, the organization’s Google admin(s) will also see an alert in the Admin console security center and receive an alert via email.
File restoration for all, ransomware detection for Business and Enterprise
“To date, ransomware has largely been treated as an antivirus (AV) issue: Seek out potentially malicious code before it’s activated and quarantine it. This is an important and necessary defense, but with the continued success of ransomware attacks over the last few years, it’s clear this approach is insufficient,” Camery and Behr noted.
Drive for desktop’s ransomware detection and file restoration features are being rolled out gradually and both will be on by default for users in Google Workspace organizations. It’s on admins to turn them off through the Admin console if neccessary.
End users in an organization will be able to take advantage of these features only if the administrators have left them on and if they have Drive for desktop v.114 or later installed on their computer. (Earlier versions of the app will only pause the file syncing.)
The file restoration feature is available to all Google Workspace customers, Workspace Individual Subscribers, and users with personal Google accounts, but the ransomware detection feature is limited to customer with business, enterprise education and frontline Workspace plans.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!