Google Debuts New Ransomware Protection: 5 Things To Know

New AI-powered capabilities in Google Drive aim to block ransomware from spreading after a malicious change to a file is detected.

Google unveiled what it’s calling a new approach to combating ransomware Tuesday, with the debut of AI-powered capabilities in Drive that aim to halt an attack before it can do serious damage.

The new functionality in Google Drive is capable of blocking ransomware proliferation after a malicious change to a file is detected, the company said.

“It's clear to us that there's kind of a fundamental flaw in the status quo [of] ransomware protections,” said Luke Camery, lead group product manager for Google Workspace, during a briefing with media outlets. “Either they're entirely focused on treating ransomware like an antivirus problem, or they assume that you've already been hit and they treat it like a backup and recovery problem.”

The new ransomware protection capabilities are now available for Google Drive for desktop as an open beta, the company said. The functionality will be included in “most” Workspace commercial plans for free, according to Google.

What follows are five things to know about Google’s new ransomware protection capabilities.

Aimed At Mixed Google-Microsoft Environments

While Google Drive is typically not directly targeted by ransomware actors, many organizations are using mixed environments that might end up making Drive more vulnerable, Camery said.

For instance, many Google Workspace customers actually work with Microsoft Office files, he said — something that Workspace supports so that files don’t need to be converted into Google formats.

“Where this [ransomware protection] idea came from, frankly, is that we have a lot of customers who dual-use Workspace with the Microsoft Office editors,” Camery said. “Microsoft Office [frequently] carries malware, or VBA macros delivered with Office can hit you with a malware [or ransomware attack.”

Google recognizes that many of its customers are not entirely using Drive — and given that, the company wanted to provide an “organization-wide safe haven and additional layer of protection” against the ransomware threat, he said.

“This is really for those customers who are operating multiple environments,” Camery said.

Ransomware Detection

The new functionality works by using a specialized AI model — trained on a sizable number of ransomware samples — to spot signals of malicious modification of a file, according to Google.

The AI model is thus able to detect the core indications that ransomware deployment is underway by spotting attempts to corrupt or encrypt a large amount of files, Google executives said.

The capabilities continuously analyze file changes while also leveraging updated VirusTotal threat intelligence, the company said.

File Restoration

Once a malicious file change is detected, Google Drive will then automatically pause the syncing of affected files, according to Google.

This effectively prevents the encryption or corruption of data across the customer’s Drive accounts, Google said.

At that point, a user will receive an alert — displayed on their desktop and sent to their email — which will guide them through the process of restoring their files, the company said.

A Different Approach

Google is specifically not trying to enter the traditional endpoint security space in terms of its approach to stopping ransomware, Camery said.

“We don't look for malware or ransomware itself,” he said. “We're not looking for signatures of known ransomware. We're not patterning this on any existing attack.”

Instead, “this is meant to just look at, are the changes being made to files something that we think are malicious and destructive? Or are these normal changes made by a user?” Camery said.

In many ways, “we're actually assuming that you've already been infected by ransomware,” he said. “So we're trying to stage this much later in the attack life cycle than our competitors.”

Industry Adoption Ahead?

Google believes that its new approach for blocking ransomware proliferation will be emulated by other industry vendors in the future, Camery said.

“We've seen at least one competitor signal that they intend to do things like this,” he said. “The closest thing that we've seen is that some competitors allow you to set heuristics that attempt to look for similar signals that we're looking for with our AI.”

However, “it's not as comprehensive, and you would need to define it in your endpoint protection,” Camery said. “In terms of, do we expect people to follow suit? I would expect all the other content providers to launch something like this.”