Link to home
Start Free TrialLog in
Avatar of JDBTech
JDBTechFlag for United States of America

asked on

Blocking Cryptowall/Cryptolocker writing to network shares

Does anyone have a suggestion for a file monitoring program or a group policy that would identify when Cryptowall or Cryptolocker (or any of the new variants) is encrypting files on a network drive and actively block that PC from writing to the server?  Based on my research it is almost impossible to stop cryptowall/locker if a user activates it but there has to be a way to minimize the damage on the network drives.  I have had 2 clients infected with cryptowall/locker this week and no one seems to have a good solution for preventing it.  I have implemented software restriction policies but that will be marginally effective at best since I can't restrict all executables in the appdata folder.  One person recommended locking down the outbound ports on the firewall but both of the networks that were infected already had the firewall locked down to the minimum required outbound ports.  Any help would be appreciated.
SOLUTION
Avatar of NVIT
NVIT
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of JDBTech

ASKER

Thanks to all of you for the comments.  In the 3 cases I have experienced I had good backups so only a few hours of data was lost.  It still takes a lot of time to determine the affected folders and restore the appropriate data so it is a significant cost to the client.  

I will certainly check out CryptoPrevent.  The sooner I know something is going on, the easier to mitigate the damage.  

One of the biggest problems I have had is determining where the infection actually originated.  In every case the users deny seeing anything or clicking anything.  By the end of the discussion they weren't even in the office that day.  The only internet cache data I can find within the time window of the last infection was from expedia.com so either it was a drive by or the user isn't being forthcoming.  

Thanks for Thomas Zucker-Scharff for the link to your article.  Reading your article and related/linked articles should keep me busy today!  

Thanks again to all for your help!
You are welcome and good luck.  Check out the acknowledgements in the article.  Some experts here on EE contributed a lot.