Google unveils AI-powered security to trap ransomware attacks

Google has launched an artificial intelligence (AI)-powered security capability that acts as a last line of defence against ransomware attacks that have evaded traditional security measures and protects files stored in Google Drive.

The new capability, which will be rolled out globally to most commercial Google Workspace customers at no extra cost, is aimed primarily at file formats such as Microsoft Office documents and PDFs, which are frequently targeted by ransomware attacks.

Ransomware, a type of malicious software that encrypts a victim’s files and demands payment to restore access, remains a pervasive threat that keeps administrators of all organisation sizes up at night.

“The idea that a well-resourced and sophisticated bad actor could target an organisation and hold an entire network hostage is the stuff of nightmares,” said Kristina Behr, vice-president of collaboration applications for Google Workspace.

According to Mandiant’s investigations in 2024, 89% of organisations in Asia-Pacific that were hit by ransomware learnt about the attacks from an outsider, revealing gaps in detection and intervention capabilities.

Through its new ransomware protection capability, Google hopes to address what it calls the “missing middle” in ransomware mitigation. Current defences typically focus on preventing an attack with antivirus software or recovering from an attack using backups.

“There is a fundamental flaw in the status quo,” said Luke Camery, product manager for security and compliance at Google Workspace. “They’re either entirely focused on treating ransomware as an antivirus issue, or they assume that you’ve already been hit, and they treat it like a backup and restore problem.”

Google’s solution is intended to intervene at the critical moment an attack begins. Built into the Google Drive for Desktop application on Windows and macOS, a proprietary AI model continuously monitors for suspicious activity.

Trained on millions of real-world ransomware samples, the model does not look for the malicious code itself. Instead, it identifies the signature behaviour of a ransomware attack: the rapid, mass encryption of files.

When this pattern is detected, typically after three to five files have been encrypted, Google Drive automatically suspends all file syncing from the user’s device to the cloud. This action forms a “protective bubble” around the user’s cloud-stored files, preventing the corrupted versions from overwriting the clean ones and the attack from spreading to collaborators.

The affected user is notified immediately and a new restoration tool is launched in Google Drive’s web interface. It allows the user to see a millisecond-by-millisecond timeline of file changes and, with a few clicks, restore all affected files to their healthy state from just before the attack began.

“The impacted user can immediately return to work on any safe device, and no other users on the network will even know what happened,” said Camery.

Camery said the new capability is not meant to replace existing security tools like antivirus or endpoint detection and response (EDR) platforms, but rather to complement them.

“We are not trying to identify malicious files themselves, like traditional antivirus or EDR do,” he added, urging organisations to continue using those tools. “But you know they’re not infallible, and so there’s no reason not to add this Drive protection on top of them.”

When asked by Computer Weekly if there were plans to extend similar protections to files stored in the Google Cloud Storage service used by enterprises, Camery indicated it was a possibility. “We don’t have any specific plans at this time, but it’s definitely something I would watch out for in the future,” he said.

Having layered defences is critical at a time when attackers are constantly evolving their tactics, techniques and procedures. According to Mandiant, intrusions related to ransomware accounted for 21% of all intrusions observed in 2024, with the average cost of an incident exceeding $5m.

“What we’re unveiling and making available today is an entirely new layer of defence,” said Behr. “While antivirus solutions continue their work to stop ransomware from getting in, we’ve built the protections to stop it from being effective once it is inevitably through the door.”

Google Workspace administrators will receive alerts about any detected incidents in their administrator console and can review audit logs for further investigation. The feature will be enabled by default and included in most Google Workspace commercial plans. Individual consumers will also have access to file restoration capabilities.