Google Drive has made its ransomware detection feature generally available and enabled it by default for paying users, according to an official announcement.
The feature uses artificial intelligence to identify signs of ransomware activity when files are synced from a desktop device to Google Drive. According to Google, files are scanned during the syncing process, allowing the system to detect suspicious patterns such as encryption attempts or abnormal file modifications associated with ransomware attacks.
When potential ransomware activity is detected, Google Drive automatically pauses file synchronization. The company stated that this is intended to limit the spread of encrypted or corrupted files to cloud storage. Users receive notifications through email and within Google Drive, while administrators are alerted through the Google Admin console.
The feature does not prevent files on an already compromised device from being encrypted. However, Google stated that files stored in Drive remain protected from being overwritten by encrypted versions. Once the threat is addressed, users can restore affected files using built-in recovery tools designed to reverse ransomware-related changes.
Google reported that improvements made since the beta version have increased detection capabilities. The company stated that its updated AI model can identify a broader range of ransomware activity and operates faster than earlier versions. According to Google, the system can detect up to 14 times more infections compared to the initial release.
The ransomware detection feature was first introduced in September 2025 and entered beta testing shortly after. It has now reached general availability and is automatically enabled for Google Workspace customers and other paying users.
Administrators are required to deploy the latest version of Google Drive for desktop to ensure full alert functionality across endpoints. However, Google stated that synchronization will still be paused on older versions of the software if ransomware activity is detected.
The update reflects ongoing efforts to integrate automated threat detection into cloud storage services, particularly for ransomware, which is designed to encrypt files or restrict access to data until a payment is made.