Prevent Ransomware in Google Drive and Box

A knowledge base article about Prevent Ransomware in Google Drive and Box provided by the UC Berkeley IT Service Hub - Knowledge Portal

References:

How to Mitigate Ransomware Risks for Google Workspace Documents

Berkeley IT Ransomware Guide

Berkeley IT Ransomware ToolKit

Berkeley IT Ransomware Videos

Protecting your Google Drive from ransomware requires a two-pronged approach:

preventing ransomware from infecting your devices, and
limiting its access to Google Drive, even if your local files are compromised.

Prevention on Your Local Devices

The best way to protect your Google Drive is to prevent ransomware from ever reaching it by securing your local devices. The Berkeley Desktop Service can help with many of these protections.

For university-owned machines, not managed through the Berkeley Desktop Service, ensure the Berkeley Security Software is installed.

Follow our Basic Cyber Security Requirements Checklist.

Limiting Ransomware's Impact on Google Drive

If ransomware does infect your local files, these steps can help minimize the damage to your Google Drive.

Be Aware of Syncing Activity: Pay attention to unusual syncing activity. If you notice many files being modified or renamed rapidly, especially with strange extensions, disconnect your computer from the internet immediately to stop the sync.
Utilize Google Drive's Version History: If ransomware encrypts files that then sync, you can potentially restore to an earlier, unencrypted version. Right-click on the affected file, select "Manage versions", find the version you want, and either download it to save it locally or make it the current version. Note that version history may not be indefinite.
Use a diverse backup strategy: While Google Drive’s version history offers some protection, it's not a substitute for a dedicated backup solution. Use an external hard drive or separate cloud backup service to create independent backups, ideally following the 3-2-1 backup rule (3 copies of your data, 2 different storage media, 1 offsite backup). Berkeley also offers UCBackup (paid service) and Enterprise Storage.
Review Third-Party App Permissions: Regularly review and revoke access for any third-party applications you no longer use or don't recognize, as compromised apps could be exploited.
Disable Google Drive Sync: For sensitive data, you may want to consider disabling syncing entirely and manually uploading files via your web browser to your Google Drive on a regular basis. This can prevent ransomware from accessing your Google Drive since it won’t be available as a local volume on your system.

If You Suspect a Ransomware Infection:

Disconnect from the Internet Immediately: Unplug your internet cable, turn off WiFi and bluetooth. This prevents further encryption and potential spreading.
Do Not Pay the Ransom: Payment doesn't guarantee file decryption and encourages cybercriminals.
Report Suspected Incidents: Contact the UC Berkeley Information Security Office.