Start Free TrialLog in
Avatar of JDBTech
JDBTechFlag for United States of America

asked on 

Blocking Cryptowall/Cryptolocker writing to network shares

Does anyone have a suggestion for a file monitoring program or a group policy that would identify when Cryptowall or Cryptolocker (or any of the new variants) is encrypting files on a network drive and actively block that PC from writing to the server?  Based on my research it is almost impossible to stop cryptowall/locker if a user activates it but there has to be a way to minimize the damage on the network drives.  I have had 2 clients infected with cryptowall/locker this week and no one seems to have a good solution for preventing it.  I have implemented software restriction policies but that will be marginally effective at best since I can't restrict all executables in the appdata folder.  One person recommended locking down the outbound ports on the firewall but both of the networks that were infected already had the firewall locked down to the minimum required outbound ports.  Any help would be appreciated.
Windows Server 2008Windows 7Network SecurityAnti-Virus AppsOS Security
Avatar of undefined
Last Comment
Thomas Zucker-Scharff
SOLUTION
Avatar of NVIT
NVIT
Flag of United States of America image
Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
SOLUTION
Avatar of John
John
Flag of Canada image
Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
SOLUTION
Avatar of Thomas Zucker-Scharff
Thomas Zucker-Scharff
Flag of United States of America image
Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
ASKER CERTIFIED SOLUTION
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image
Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image
Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of JDBTech
JDBTech
Flag of United States of America image

ASKER

Thanks to all of you for the comments.  In the 3 cases I have experienced I had good backups so only a few hours of data was lost.  It still takes a lot of time to determine the affected folders and restore the appropriate data so it is a significant cost to the client.  

I will certainly check out CryptoPrevent.  The sooner I know something is going on, the easier to mitigate the damage.  

One of the biggest problems I have had is determining where the infection actually originated.  In every case the users deny seeing anything or clicking anything.  By the end of the discussion they weren't even in the office that day.  The only internet cache data I can find within the time window of the last infection was from expedia.com so either it was a drive by or the user isn't being forthcoming.  

Thanks for Thomas Zucker-Scharff for the link to your article.  Reading your article and related/linked articles should keep me busy today!  

Thanks again to all for your help!
Avatar of Thomas Zucker-Scharff
Thomas Zucker-Scharff
Flag of United States of America image
You are welcome and good luck.  Check out the acknowledgements in the article.  Some experts here on EE contributed a lot.
Windows Server 2008
Windows Server 2008

Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.

86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts

  • "Invaluable tool for our organization"

    Josh Regalski

  • "Your help has saved me hundreds of hours of internet surfing."

    @fblack61

  • "Just a dang good service!"

    @golferski

  • "Worth every penny."

    Steve Hougom

  • "It’s been a life saver."

    Maria Halt

  • "Best support site I’ve seen!"

    Bob Schneider

  • "I would be lost without them."

    @fblack61

  • "Saved my job multiple times."

    Walt Forbes

  • "I love this site."

    Maria Duwe

  • "Friendly respectful help."

    Andrew Kowtalo

  • "Such top-notch experts."

    @magento

  • "The best money I have ever spent."

    @rwheeler23

  • "Beyond any comprehensible value"

    George Morris

  • "Invaluable tool for our organization"

    Josh Regalski

Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo
© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent