admin 
Google has moved a set of anti-ransomware tools for Drive from beta into full global release, adding a stronger layer of detection and bulk file restoration for organisations using Drive for desktop. The rollout, announced on 31 March, turns ransomware detection on by default for Workspace users, sends alerts to administrators when suspicious encryption activity is detected, and enables file restoration by default to help recover from damage on infected endpoints.
The launch marks the formal release of a feature first opened for beta testing in late September 2025. Google says the production version includes improved malware detection, while administrators can manage the settings at organisational-unit level through the Admin console. Detection alerts require Drive for desktop version 114 or later, though syncing can still be paused on older versions if suspicious behaviour is found.
At the operational level, Google is trying to address one of the most painful parts of ransomware response: the scramble to identify what was altered and then roll back the damage without restoring whole systems from backups. Its restoration tool allows users to recover files in bulk from a ransomware event through Google Drive on the web, restoring file names and content after an attack has been contained. That places the feature in the growing class of cloud-native recovery controls designed to reduce downtime when an employee machine, rather than the cloud platform itself, becomes the point of compromise.
The timing is not accidental. Ransomware remains one of the most persistent threats facing businesses, schools and public institutions, even as extortion tactics evolve. Verizon said in its 2025 Data Breach Investigations Report that ransomware was present in 44% of breaches, up 37% from the prior year. Mandiant, now part of Google Cloud, said ransomware-related events accounted for more than one-fifth of its incident response investigations in 2024, while its 2026 threat outlook described criminal groups in 2025 as increasingly focused on fast impact and deliberate denial of recovery.
That threat pattern helps explain Google’s emphasis on recovery, not only detection. Modern ransomware operators do not always stop at encrypting files. They often steal data, tamper with security tools, delete backups and try to frustrate restoration. Mandiant said such actors routinely engage in tactics intended to reduce a victim’s ability to recover, including clearing logs and interfering with defensive software. In that context, faster rollback inside a widely used collaboration platform can have practical value, particularly for organisations whose staff sync local files through Drive for desktop across large fleets of laptops and workstations.
Google is not first into this category. Microsoft has long offered ransomware detection and recovery features in OneDrive, including notifications when files appear to be under attack and options to restore a OneDrive environment to an earlier point in time, generally within a 30-day window for eligible users. Microsoft also highlights versioning, recycle-bin recovery and file restore as part of its broader ransomware resilience model for SharePoint and OneDrive in Microsoft 365.
What differentiates Google’s announcement is the tighter Workspace administrator workflow now attached to it. Admins receive email notifications and Alert Center warnings, and they can switch both ransomware detection and Drive file restoration on or off by organisational unit. That suggests Google is pitching the service less as a consumer convenience tool and more as a managed security control for enterprises that want policy-based deployment across departments, subsidiaries or regional teams.
There are still limits to what cloud recovery can achieve. These tools can help unwind damage to synced files, but they do not replace endpoint detection, strong identity controls or patching discipline. Google’s own security guidance has stressed that destructive attacks often exploit weak credentials, missing controls and configuration gaps. Its broader cloud threat reporting for the second half of 2025 also pointed to weak or absent credentials as the leading driver in observed incidents. That underlines a central reality of ransomware defence: recovery features matter most when paired with basic security hygiene.
