Menu
Cloud CISO Perspectives: Disrupt ransomware with AI in Google Drive

GCP – Cloud CISO Perspectives: Disrupt ransomware with AI in Google Drive

,

Welcome to the first Cloud CISO Perspectives for October 2025. Today, Kristina Behr, VP, Workspace Product Management, and Jorge Blanco, director, Office of the CISO, explain how a new AI-driven capability in Google Drive can help security and business leaders protect their data and minimize the impact of ransomware attacks.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

aside_block
<ListValue: [StructValue([(‘title’, ‘Get vital board insights with Google Cloud’), (‘body’, <wagtail.rich_text.RichText object at 0x7f316296fbb0>), (‘btn_text’, ‘Visit the hub’), (‘href’, ‘https://cloud.google.com/solutions/security/board-of-directors?utm_source=cloud_sfdc&utm_medium=email&utm_campaign=FY24-Q2-global-PROD941-physicalevent-er-CEG_Boardroom_Summit&utm_content=-&utm_term=-‘), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>

Disrupt ransomware with AI in Google Drive

By Kristina Behr, VP, Workspace Product Management, and Jorge Blanco, director, Office of the CISO

kristina headshot

Kristina Behr, VP, Workspace Product Management

We all know that ransomware is a scourge, notorious for evading traditional antivirus and endpoint detection and response solutions, causing great financial and reputational damage to organizations around the world. As part of our efforts to make technology safer and more secure for all, we’ve created a new AI-powered layer of defense against ransomware for Google Workspace customers who use the Google Drive for desktop app for Windows and macOS.

While Google Docs, Sheets, and other native Workspace documents are already secure by design and unimpacted by ransomware, and ChromeOS has never had a ransomware attack, we know users rely on a mix of services and file formats like Microsoft Office documents and PDFs, and Windows and Mac desktop operating systems.

Recovering from a ransomware attack is disruptive and takes time, usually requiring the IT team to shut down their entire network to restore data and systems from backups. The financial costs of ransomware are staggering: At least $3.1 billion has been paid in ransom for more than 4,900 ransomware attacks since 2021 — and these are only the attacks that we know of because they’ve been reported, said the U.S. government in 2024.

Jorge Blanco - Photo

Jorge Blanco, director, Office of the CISO

Meanwhile, the cost of an average data breach exceeded $5 million. Year after year, ransomware comprises more than one-fifth of cyberattacks, and in 2024 Mandiant observed 21% of all intrusions were related to ransomware.

The ability to identify early signals of threats like ransomware is paramount, as they pose a significant systemic risk to organizations. A successful attack can compromise the operational resilience of critical sectors, leading to prolonged downtime and data theft.

For example, ransomware attacks in the financial sector can disrupt the availability of payment systems and markets. The EU’s Digital Operational Resilience Act (DORA) directly addresses this by enforcing strict rules for information and communication technology risk management, resilience testing, and third-party supervision. In addition to financial and recovery costs, failure to comply could lead to operational and regulatory penalties.

To help our Workspace customers defend against ransomware attacks, we’ve developed a proprietary AI model that looks for signals that a file has been maliciously modified by ransomware — and stops it before it can spread.

Similarly, ransomware that targets healthcare organizations directly jeopardizes patient safety by restricting access to electronic health records and diagnostic tools, resulting in delayed treatments, ambulance diversions, and a measurable, material risk of higher mortality rates. Ransomware has even forced hospitals to permanently close.

Ransomware is an organization-wide threat. The high costs of remediating ransomware are as concerning for boards of directors as they are for CISOs and the security teams who report to them. To help our Workspace customers defend against ransomware attacks, we’ve developed a proprietary AI model that looks for signals that a file has been maliciously modified by ransomware — and stops it before it can spread.

These new capabilities enable smart detection of file corruption that is characteristic of a ransomware attack. It automatically halts activity to prevent file corruption from reaching cloud-stored assets, and allow for simple recovery and restoration of affected files stored on Google Drive, regardless of file format.

AI-powered ransomware detection in Drive for desktop can help secure essential government, education, and business operations, and also upend the ransomware business model by disrupting attacks in progress and offering rapid file recovery. Importantly, these capabilities have been integrated into the user experience and designed intuitively so that non-technical users can take full advantage. We are rolling this out now at no extra cost for most Google Workspace commercial plans.

How it works

Trained on millions of ransomware samples, this new layer of defense can identify the core signature of a ransomware attack — an attempt to encrypt or corrupt files en masse — and rapidly stop file syncing to the cloud before the ransomware can spread and encrypt the data. It also allows users to easily restore files with a few clicks.

The AI uses a proprietary, deep learning model that continuously looks for signs of maliciously modified files. Its detection engine can identify ransomware by analyzing patterns of file changes as they sync from desktop to Google Drive. The detection uses intelligence from Google’s battle-tested, malware-detection ecosystem, including VirusTotal.

Built-in malware defenses, also available in Gmail and Google Chrome, can help prevent ransomware from spreading to other devices and taking over entire networks. We believe that these layers of defense can help organizations in industries such as healthcare, retail, education, manufacturing, and government from being disrupted by ransomware attacks.

Restoring corrupted files

A key capability of this defense empowers customers to restore their files, unlike traditional solutions that require complex re-imaging or costly third-party tools. The Google Drive interface allows users to restore multiple files to a previous, healthy state with just a few clicks.

This rapid recovery capability can help to minimize user interruption and data loss, even when using Microsoft Windows, Office, and other traditional software.

Additional ransomware defenses

As AI augments and even reinvents protection against ransomware in some very powerful ways, it’s clear that organizations should do more to adopt the secure by design mentality.

There’s no single tool that can defeat all ransomware attacks, so we recommend organizations emphasize a layered, defense in depth approach. Organizations should incorporate automation and awareness strategies such as strong password policies, mandatory multi-factor authentication, regular reviews of user access and cloud storage bucket security, leaked credential monitoring on the dark web, and account lockout mechanisms.

One way to get started is to identify user groups, including sales and marketing teams, that can transition to more ransomware-resilient endpoints. Moving to devices that run ChromeOS, iOS, and Android could meaningfully reduce security risks — for example, Chromebooks are inherently more resilient against ransomware and malware in general.

For legacy Windows applications that can’t run on the web, we recommend Cameyo as a solution that allows users to continue using Windows apps in a more secure environment, such as ChromeOS.

To learn more about how we’re using AI to stop ransomware with Google Drive, read our recent Workspace blog.

aside_block
<ListValue: [StructValue([(‘title’, ‘Tell us what you think’), (‘body’, <wagtail.rich_text.RichText object at 0x7f316296f2e0>), (‘btn_text’, ‘Join the conversation’), (‘href’, ‘https://google.qualtrics.com/jfe/form/SV_2n82k0LeG4upS2q’), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>

In case you missed it

Here are the latest updates, products, services, and resources from our security teams so far this month:

  • Same same but also different: Google guidance on AI supply chain security: At Google, we believe that AI development is similar to traditional software, so existing security measures should readily adapt to AI. Here’s what you need to know. Read more.
  • How economic threat modeling helps CISOs become chief revenue protection officers: Economic threat modeling is a way of thinking about, identifying, and managing risk in a financially responsible way. Here’s why CISOs should start doing it. Read more.
  • Digital sovereignty 101: Your questions answered: Here’s what security and business leaders should know about what digital sovereignty is, and how Google Cloud is helping customers achieve it. Read more.
  • How we’re securing the AI frontier: We’re announcing a new AI Vulnerability Reward Program, an updated Secure AI Framework 2.0 for AI, and the release of our new AI-powered agent CodeMender, which improves code security automatically. Read more.
  • Accelerating adoption of AI for cybersecurity at DEF CON 33: Empowering cyber defenders with AI is critical as they battle cybercriminals and keep users safe. To help accelerate adoption of AI for cybersecurity workflows, we partnered with Airbus at DEF CON 33 to host the GenSec Capture the Flag (CTF), dedicated to human-AI collaboration in cybersecurity. Read more.
  • Announcing quantum-safe Key Encapsulation Mechanisms in Cloud KMS: We’re supporting post-quantum Key Encapsulation Mechanisms in Cloud KMS, in preview, enabling customers to begin migrating to a post-quantum world. Read more.
  • Master network security with Google Cloud’s latest learning path: Google Cloud is launching a new Network Security Learning Path that culminates in the Designing Network Security in Google Cloud advanced skill badge. Read more.
  • Mandiant Academy: Basic Static and Dynamic Analysis course now available: To help you get started in pursuing malware analysis as a primary specialty, we’re introducing Mandiant Academy’s new Basic Static and Dynamic Analysis course. Read more.
  • The future of media sanitization at Google: Starting in November, Google Cloud will begin transitioning our approach to media sanitization to fully rely on a robust and layered encryption strategy. Read more.

Please visit the Google Cloud blog for more security stories published this month.

aside_block
<ListValue: [StructValue([(‘title’, ‘Join the Google Cloud CISO Community’), (‘body’, <wagtail.rich_text.RichText object at 0x7f316296fdf0>), (‘btn_text’, ‘Learn more’), (‘href’, ‘https://rsvp.withgoogle.com/events/ciso-community-interest?utm_source=cgc-blog&utm_medium=blog&utm_campaign=2024-cloud-ciso-newsletter-events-ref&utm_content=-&utm_term=-‘), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>

Threat Intelligence news

  • Oracle E-Business Suite zero day exploited in widespread extortion campaign: A new, large-scale extortion campaign by a threat actor claiming affiliation with the CL0P extortion brand has been targeting Oracle E-Business Suite (EBS) environments. Along with our analysis of the campaign, we provide actionable guidance for defenders. Read more.
  • Frontline observations: UNC6040 hardening recommendations: Protecting software-as-a-service (SaaS) platforms and applications requires a comprehensive security strategy. In this guide drawn from analysis of UNC6040’s specific attack methodologies, we present a structured defensive framework and emphasize Salesforce-specific security recommendations. Read more.

Please visit the Google Cloud blog for more threat intelligence stories published this month.

Now hear this: Podcasts from Google Cloud

  • How CISOs have evolved from security cop to cloud and AI champion: David Gee, board risk advisor and former CISO, shares his guidance for security leaders with hosts Anton Chuvakin and Tim Peacock, and discusses how the necessary skills, knowledge, experience, and behaviors for a CISO have evolved. Listen here.
  • From scanners to AI: 25 years of vulnerability management with Qualys’ CEO: Sumedh Thakar, president and CEO, Qualys, talks with hosts Anton and Tim about how vulnerability management has changed since 1999, whether we can we actually remediate vulnerabilities automatically at scale, and of course, AI. Listen here.
  • Securing real AI adoption, from consumer chatbots to enterprise guardrails: Rick Caccia, CEO and co-founder, Witness AI, discusses with Anton and Tim how AI is similar to — and different from — previous massive technology shifts. Listen here.
  • Behind the Binary: The machine learning revolution in reverse engineering: Host Josh Stroschein is joined by Hahna Kane Latonick for a deep dive into the powerful world where reverse engineering meets data science. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in a few weeks with more security-related updates from Google Cloud.

Read More for the details.

Related Posts