Blocking Cryptowall/Cryptolocker writing to network shares

Does anyone have a suggestion for a file monitoring program or a group policy that would identify when Cryptowall or Cryptolocker (or any of the new variants) is encrypting files on a network drive and actively block that PC from writing to the server?  Based on my research it is almost impossible to stop cryptowall/locker if a user activates it but there has to be a way to minimize the damage on the network drives.  I have had 2 clients infected with cryptowall/locker this week and no one seems to have a good solution for preventing it.  I have implemented software restriction policies but that will be marginally effective at best since I can't restrict all executables in the appdata folder.  One person recommended locking down the outbound ports on the firewall but both of the networks that were infected already had the firewall locked down to the minimum required outbound ports.  Any help would be appreciated.
JDBTechAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NVITCommented:
CryptoPrevent alerts the admin during suspected activity.
0
JohnBusiness Consultant (Owner)Commented:
1. You should be sure you have really good external backups in place.

2. Then you should remind clients about standard safe computing practices.

Don't visit questionable or dodgy websites,
Don't click links found within emails from strangers or unknown people.
Do not give out personal information to strangers.

3. A good commercial anti virus should protect against most variants; however, zero day new variants are always difficult which why the first two steps.

4. Look at Malwarebytes.org. They claim the enterprise version protects against cryptolocker but I have never tested this.
0
Thomas Zucker-ScharffSolution GuideCommented:
Although John makes good points,  NVIT hit it on the head. CryptoPrevent corporate or cryptoguard using GPOs.

See my article for links and analysis.
http://www.experts-exchange.com/articles/18086/Ransomware-Prevention-is-the-only-solution.html
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

David Johnson, CD, MVPOwnerCommented:
Because people have poor backup strategies this is a very thriving and a high growth industry.. Each variant nets the developer millions of dollars.  This means every script kiddie will be wanting to try it out. The source code is available on the black web for a price the same with exploit kits.
#1 rule make everyone a standard user
#2 as part of the employment routine each user must attend a security briefing with annual refresher's (or more often as required)
#3 IT must ensure that all machines have the latest updates to the O/S, and the vunerable items i.e. all adobe products (flash/acrobat/reader), and oracle java
#4 if there isn't a valid and proven reason for installing java on a machine then DON'T install it as a matter of course.
#6 CryptoPrevent is an item of last resort and is required.. all it does is attempt to prevent the damage from occurring but must be updated frequently as newer versions of this thriving business are implemented and spread out once the user has infected their machine
#7 disable scripting in adobe reader/acrobat

Backup, Backup, Backup
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeCommented:
You write about software restriction policies being not too effective. They are 100% effective when used with whitelists. That would mean additional administrative work, of course, but works.
You could also use firewall strategy that allows only certain processes to write to shares - again, administrative overhead.

What we do ourselves is have people use a terminal server (remoteapps) to access the internet, they have no direct connection. This is by far the most effective measure we take. It has drawbacks, too, of course.
1
JDBTechAuthor Commented:
Thanks to all of you for the comments.  In the 3 cases I have experienced I had good backups so only a few hours of data was lost.  It still takes a lot of time to determine the affected folders and restore the appropriate data so it is a significant cost to the client.  

I will certainly check out CryptoPrevent.  The sooner I know something is going on, the easier to mitigate the damage.  

One of the biggest problems I have had is determining where the infection actually originated.  In every case the users deny seeing anything or clicking anything.  By the end of the discussion they weren't even in the office that day.  The only internet cache data I can find within the time window of the last infection was from expedia.com so either it was a drive by or the user isn't being forthcoming.  

Thanks for Thomas Zucker-Scharff for the link to your article.  Reading your article and related/linked articles should keep me busy today!  

Thanks again to all for your help!
1
Thomas Zucker-ScharffSolution GuideCommented:
You are welcome and good luck.  Check out the acknowledgements in the article.  Some experts here on EE contributed a lot.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.