On Google Drive for desktop, you can warn your users of possible ransomware attacks before all of their files are corrupted. Catching attacks early helps limit the potential damage and makes file recovery easier.
About ransomware detection
When ransomware detection is on, files are scanned for ransomware when they are synced from a desktop computer to Drive. If ransomware-encrypted files are found, desktop sync is paused. The affected user gets an email alert and is notified in Drive, and an alert is created in the Google Admin console. For details, go to Restore files in bulk with Google Drive.
Turn on ransomware detection
Before you begin: Ransomware detection is enabled by default.
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
Go to Menu
Apps > Google Workspace > Drive and Docs.
Requires having the Service Settings administrator privilege.
-
Click Malware and Ransomware
Ransomware detection.
-
For Drive automatically monitors unusual file changes to identify potential ransomware corruption, select On.
- Click Save.
Restore earlier file versions
If any files have been damaged by a ransomware attack or synced to Drive from a user's device, they are informed as to when the corruption started. Users also receive an email with detailed instructions on how they can restore their files to previous, uncorrupted versions.
All files that have been changed (for example, created or updated) in the past 25 days can be restored. These include My drive and Shared with me files, and files on internal or external shared drives.
Turn on Drive file restoration
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
Go to Menu
Requires having the Service Settings administrator privilege.
-
Click Malware and Ransomware
-
Click Drive file restoration.
-
For Allow multiple file version recovery, select On.
- Click Save.
