Home»Google Workspace Ransomware Protection»Google Drive Ransomware Recovery: 3 Best Practices

Google Drive Ransomware Recovery: 3 Best Practices

In 2019, there were 187.9 million ransomware attacks on businesses and individuals. 45% of victims paid the ransom. With the disruption brought by COVID-19 in 2020, the number of attacks increased. Cloud drives with doc sharing and collaboration functionality are a popular target.

In this article, we discuss the methods of Google Drive ransomware recovery as well as how to protect your business from this type of threat in the future.

Google Workspace is a convenient tool for storing and collaborating on files. Unfortunately, it isn’t 100% safe. Modern types of ransomware can infect your cloud drive and corrupt your data.

If your business got hit by this type of malware don’t pay the ransom just yet. Check out the methods of Google Drive ransomware recovery in this article and learn how to protect your data in the future.

4 Signs Your Google Drive Has Been Infected

Let’s check if your Google Drive has been infected with ransomware:

  1. You open documents or sheets and see decrypted text
  2. You can’t open pictures, videos, and other types of files
  3. All your emails are encrypted 
  4. You see a request to pay a ransom in your emails or documents or both

If you wonder how this might’ve happened read more about ransomware here:

How to Recover Files from a Ransomware Attack with Google Functionality

Google has several suggestions on how to recover virus-infected files. Here’s what they say:

Google Drive Ransomware Recovery

In other words, you need to open the document, sheet, or presentation, click File > Version history > See version history. You will be redirected to the respective page. Choose the previous version you want to restore.

Unfortunately, this method has a number of drawbacks:

  1. Modern ransomware encrypts older versions of your files too. So, chances are you will see the same corrupted data once you open your version history.
  2. This method doesn’t work if you simply downloaded a file and never edited it. So you only have one version and can’t roll back to the previous one like in the picture below:
  3. Versioning is a feature available only for a limited number of file types. These are files edited in Docs, Sheets, and Slides.

However, a significant amount of data is stored in other formats such as, for example, HTML, PDF, PNG, MP4, etc.

  1. Even if your company is lucky enough to have only data in Docs and Sheets corrupted by old ransomware, manual Google Drive recovery might take weeks. 

The actual time will depend on the number of files you have. The average velocity of recovery is 30 seconds per 1 file stored in the main directory. Navigating folders will consume additional time. You also need to calculate the time spent by the employee in charge of restoration on coffee breaks and frustrated swearing.

Find Decryption Key

There are organizations that fight cybercriminals. They provide decryption keys online for free. For example, there’s this really cool No more ransom project. You can try using their service to decrypt files.

Step 1.

Use their special tool that will help you define your type of ransomware online. It’s called Crypto Sheriff. All you need to do is to provide 2 infected files and copypaste the demand note.

Step 2.

Once the type of your ransomware is defined, you can download the key from their Decryption Tools section.

This method has one significant flaw:

Most of the decryption keys there are from the past attack. Unfortunately, ransomware is a relatively easy software for hackers to develop. That’s why there are so many different types of it available.

If your files were infected with brand new ransomware, chances are you won’t find the key to your problem. In any case, we suggest you to report the crime there.

Be Ready for the Next Attack with Automatic Google Drive Ransomware Recovery

As you can see, all the methods to recover from ransomware aren’t always efficient. That’s why, about half of the ransomware victims choose to pay the ransom rather than hire IT specialists to tackle the problem. 

Unfortunately, paying the ransom doesn’t guarantee full recovery of your data. The victims of ransomware attack who got the decryption key from cybercriminals reported the partial loss of information after the restoration of their files.

The only way to keep your data safe is by using backups. Backup software creates a snapshot of your Google Drives and you can use it to restore the data upon request. Some modern tools like SpinOne also backup email and Calendar.

Let’s see how backup software works in case of a cyber attack. We’ll take our own tool as an example.

How to Remove Ransomware Virus and Restore the Files with SpinOne

When it comes to backup, SpinOne operates like many modern tools available on market.  Here is what it does: 

  • Creates a copy of your entire Google Workplace once or thrice a day upon your choice. 
  • Saves file versions for docs, sheets, and slides. 
  • Recovers all information or its parts to its original location.
  • Restores the file hierarchy.

However, when ransomware strikes, SpinOnes acts like no other application:

  1. The AI at its core detects the malware within minutes after the attack begins.
  2. It stops the virus activity and initiates file restoration immediately
  3. It immediately notifies the administrator of the incident.
  4. The restoration of the entire Google Workspace takes up to 30 minutes.

In many cases, employees don’t notice the incident at all. And Admins find out about it after it has been stopped and the damage removed.

Protect your Google Workspace with the fully automated AI-based ransomware recovery tool

Try SpinOne!
Published on: Nov 3, 2021
Anastasia, IT Security Researcher at Spin Technology
AUTHOR Anastasia, IT Security Researcher at Spin Technology