Tech giant Google has unveiled a novel way to fight ransomware with a new, specialised AI model baked into Google Drive.
Announced Tuesday night, the newly developed AI model continuously monitors files stored in the tech giant’s desktop-to-cloud file syncing service, Google Drive for desktop.
If the AI watchdog detects telltale signs of ransomware on a connected Windows or macOS system – such as attempted file corruption or encryption – it acts like a bouncer and automatically blocks the ransomware’s access to the storage environment by pausing cloud syncing processes on all affected files.
With the threat effectively quarantined, users then receive a notification about the thwarted ransomware along with a few steps explaining how to restore their impacted files to a previous version.
In a Wednesday blog post, Kristina Behr, vice president of product management at Google Workspace, and Luke Camery, lead group product manager said the “traditional approach” to fighting ransomware was “falling short”.
“Ransomware is no longer just an IT issue,” wrote Behr and Camery.
“It has become increasingly disruptive for core business operations, such as manufacturing lines, retail operations, or hospital services.”
Google’s security arm Mandiant found 21 per cent of the cybersecurity intrusions it detected in 2024 were related to ransomware, while extortion costs exceeded $7.58 million ($US 5 million) on average.
“We believe that it’s paramount to find a better way to fight ransomware,” they said.
Antivirus breached? Meet Google’s AI bouncer
According to Behr and Camery, ransomware has historically been treated as an “antivirus issue”, with traditional quarantine defences taking place before any malicious code is actually activated.
“This is an important and necessary defence, but with the continued success of ransomware attacks over the last few years, it’s clear this approach is insufficient,” they wrote.
Users are instructed on how to proceed when ransomware is detected. Photo: Supplied
The main selling point of Google’s solution is its “specialised AI model” which the company trained on “millions of real-world ransomware samples” to look for active signs of data corruption or malicious file encryption after antivirus had already failed.
Camery told Information Age he and his colleagues were motivated to look for a “fundamentally different solution” after they grew concerned with the “long-running game” of defenders constantly trying to stay ahead of burgeoning ransomware threats.
“We saw this accelerate dramatically, particularly in the first half of this year with ransomware powered by large language models,” said Camery.
“A lot of that is fantastic at bypassing traditional antivirus solutions because it can change itself along the parameters of what antivirus is looking for.”
Instead of stopping a device from getting infected, Google’s solution is designed to catch ransomware once it’s already meddling with a victim’s files, then render its data corruption attempts moot.
“While antivirus solutions continue their work to stop ransomware from getting in, we’ve built the protections to stop it from being effective once it is, inevitably, through the door,” wrote Behr and Camery.
As for those unfamiliar strains of ransomware that Google’s AI has not been trained on, the tech giant’s ‘detection engine’ continuously analyses file changes and incorporates new threat intelligence from VirusTotal, a prominent reporting tool which security researchers use to share and collate newcoming malware threats.
In a briefing with reporters, Camery conceded the new tool had generated a small number of false detections, though these typically occurred during tests which were designed to be “indistinguishable from a malicious insider”.
Big clients test new tech
When Information Age asked if any Google clients had seen the technology, Camery said it had “absolutely been tested by a couple of Google Workspace’s largest customers”.
“You should expect to see some big names,” said Camery.
“The feedback was quite strong.”
Further to halting ransomware, the solution is focused on reducing user interruption and data loss.
After an attack is detected, victims are given an accessible explainer and immediate steps to restore their files in a few clicks.
Bob O'Donnell, president and chief analyst of consulting firm Technalysis Research, said the new anti-ransomware feature provided an “innovative way” to avoid ransomware threats while also “giving end users the ability to continue working.”
“This is great not only for Google Workspace users but individuals and companies who may use other office productivity suites as well,” said O’Donnell.
Notably, New South Wales’ Charles Sturt University developed a similar approach earlier this year with Redwire, a protective technology that proactively detects and prevents ransomware from infecting victims’ storage environments.
An open beta rollout for Google’s new ransomware feature started Wednesday.
