Back to Home

Drive detects ransomware: scanning and recovery

Google Drive for desktop PCs introduced scanning for ransomware with sync pause and notifications. Available to paid users from version 114. Bulk file recovery works for all accounts, simplifying rollback after attacks.

Ransomware in Drive: how to block and restore files
Advertisement 728x90

# Google Drive for Desktop: Built-in Ransomware Detection and Bulk File Recovery

The Google Drive desktop app now automatically scans files for ransomware during upload. If suspicious activity is detected, sync pauses, blocking the spread of infected data to the cloud. Users get a desktop notification, while organization admins receive an email alert.

The feature is enabled by default in Drive version 114 and later. Available to paid subscribers: Business Standard, Enterprise Plus. Free accounts are limited to recovery without active scanning.

Bulk Recovery of Infected Files

Google has introduced a bulk recovery tool to revert large volumes of files to previous versions. No need to pay the ransom or manually review history for each item. The feature works for all users, including free personal accounts.

Google AdInline article slot

Beta versions of both features have been tested since September 2025. They are now rolled out everywhere, improving resilience against ransomware attacks in corporate and personal scenarios.

Key Features of the New Functions

  • Detection: Automatic monitoring of uploads, sync pause, notifications.
  • Recovery: Bulk version rollback without individual intervention.
  • Availability: Scanning — paid only; recovery — for all.
  • Version: Drive 114+ for desktop (Windows, macOS, Linux).

These measures minimize damage from ransomware, where attackers encrypt files and demand payment. In IT environments where Drive is used for backups and collaboration, timely detection is critical.

Integration into Workflows

For sysadmins, the feature integrates with Google Workspace admin consoles. Email notifications enable quick responses: device isolation, log audits. In enterprise scenarios, it pairs with Vault for long-term version storage.

Google AdInline article slot

Developers using the Drive API can monitor status via programmatic access. No public endpoints for custom scanning, but event logs are available in the Activity dashboard.

Example attack scenario and response:

  • Ransomware activates locally.
  • Drive detects anomalies during upload attempt.
  • Sync pauses, alert is sent.
  • Admin initiates bulk restore from the cloud.

Key Takeaways

  • Active ransomware detection is enabled by default in Drive 114+, but only for paid plans.
  • Bulk recovery is available to all users at no extra cost.
  • The features prevent infected files from leaking to the cloud, reducing risks for teams.
  • Notifications for users and admins speed up response time.
  • Requires updating the desktop client to activate.

Amid rising ransomware attacks (per 2025–2026 data), these updates are relevant for mid/senior DevOps and security engineers. Recommended: audit current backup strategies considering the new capabilities.

Google AdInline article slot

— Editorial Team

Advertisement 728x90

Read Next