I think you can use API tools such as GAM to restore files in bulk. I am not a GAM pro but am pretty sure it is possible. 

Yeah in the past I've written a script to restore files to a previous revision in the case of Ransomeware having done exactly that.
It would be a nice feature to have in the GAM tool.

That's a shame, undoubtedly a useful script to have in your pocket 😔

You have to write a script using Google Drive APIs to restore all files to a previous state, or use a backup/restore tool, such as CubeBackup.

I am currently facing this exact scenario. One of the employees was hit by a ransomware that modified (encrypted and renamed) all files in My Drive and Shared Drives. Looking in the admin panel I do not see any option provided by Google to bulk revert files.

Is there any available script to revert these files? I'm thinking either by date or by file extension added by the ransomware.

I can't help with the script, but I would like to mention a few things you all can do to prevent this from happening in the first place. 

1.) Have a solid endpoint protection software in place. Normal antivirus software is no longer good enough to protect your business from modern threats like ransomware. Here is a good blog article that explains why. Purchase something like SentinelOne or Crowdstrike to replace your antivirus software. These products detect malicious behavior on a computer (example, a program starting to encrypt lots of files, like Ransomware does). It then kills these programs and reverts any changes that the malicious software made. 

2.) Backup your data, regularly and often. Google does not protect you against data loss. If a malicious actor really wanted to harm you badly, they could get hold of a super admin account, disable all versioning on Drive and then detonate the ransomware. I always recommend our clients to use something like Afi Cloud Backup, which connects directly to the Drive API and backs up your data reliably. It's also affordable. We are a reseller and have deployed this for many customers. It's rock-solid, easy to use, and an absolute lifesaver when data loss occurs. 

I ended up writing a basic nodejs app with Drive API. Here's the main function for anyone needing it.

The function deletes revisions created by the compromised user account after a set date. This reverts the file to the most recent revision previous to the attack.

const ransomUser = 'user@domain.com';
const ransomStart = new Date('2022-09-16');

// get a list of encrypted files and call restoreRevision for each file.

async function restoreRevision(drive, fileId, fileName) {
	try {
		let response = await drive.revisions.list({
			fileId: fileId,
			fields: 'revisions(id, modifiedTime, lastModifyingUser(emailAddress), mimeType, originalFilename)',
		});
		const revisions = response.data.revisions;
		if (!revisions || revisions.length === 0) {
			console.log(fileId, fileName, 'No revisions found.');
			return;
		}

		let revisionDeleted = false;
		for (let i = revisions.length - 1; i > -1; i--) {
			const revision = revisions[i];
			const date = new Date(revision.modifiedTime);
			if ((!revision.lastModifyingUser || revision.lastModifyingUser.emailAddress == ransomUser) && date > ransomStart) {
				await drive.revisions.delete({
					fileId: fileId,
					revisionId: revision.id,
				});
				revisionDeleted = true;
				continue;
			}
			if (revisionDeleted) {
				drive.files.update({
					fileId: fileId,
					supportsAllDrives: true,
					requestBody: {name: revision.originalFilename},
				});
				return;
			}
		}
	} catch (err) {
		console.log(fileId, fileName, 'Failed restoreRevision with error', err.message);
	}
}