* [Blog](https://www.paloaltonetworks.com.au/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com.au/blog/corporate/)
* [Cybersecurity](https://www.paloaltonetworks.com.au/blog/category/cybersecurity-2/)
* Network Shared Drive Encr...

# Network Shared Drive Encrypted by CryptoWall? How to Track Down the Infected PC

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2015%2F11%2Fnetwork-shared-drive-encrypted-by-cryptowall-how-to-track-down-the-infected-pc%2F)  
[](https://twitter.com/share?text=Network+Shared+Drive+Encrypted+by+CryptoWall%3F+How+to+Track+Down+the+Infected+PC&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2015%2F11%2Fnetwork-shared-drive-encrypted-by-cryptowall-how-to-track-down-the-infected-pc%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2015%2F11%2Fnetwork-shared-drive-encrypted-by-cryptowall-how-to-track-down-the-infected-pc%2F&title=Network+Shared+Drive+Encrypted+by+CryptoWall%3F+How+to+Track+Down+the+Infected+PC&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/2015/11/network-shared-drive-encrypted-by-cryptowall-how-to-track-down-the-infected-pc/&ts=markdown)  
\[\](mailto:?subject=Network Shared Drive Encrypted by CryptoWall? How to Track Down the Infected PC)  
Link copied  
By [Matt Mellen](https://www.paloaltonetworks.com/blog/author/matt-mellen/?ts=markdown "Posts by Matt Mellen")  
Nov 17, 2015  
3 minutes  
[Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)  
[Malware](https://www.paloaltonetworks.com/blog/category/malware-2/?ts=markdown)  
[CryptoLocker](https://www.paloaltonetworks.com/blog/tag/cryptolocker/?ts=markdown)  
[CryptoWall](https://www.paloaltonetworks.com/blog/tag/cryptowall/?ts=markdown)  
[Cyber Threat Alliance](https://www.paloaltonetworks.com/blog/tag/cyber-threat-alliance/?ts=markdown)  
[ransomware](https://www.paloaltonetworks.com/blog/tag/ransomware/?ts=markdown)

There is a lot of information on the web about preventing and recovering from CryptoWall or ransomware attacks in enterprise environments, but most don't answer this basic question:

"*How do I determine which CryptoWall-infected PC encrypted all the documents in one of my network-shared drives? I don't have audit logging enabled on my file server.*"

Although many organizations are working on migrating their document storage to the cloud, most still rely upon individual Microsoft network shares as a document repository for each business department. For example, the financial controller's office may have a network share dedicated to that department, the HR department has a different one, etc. When a user's PC in one of these departments becomes infected by CryptoWall, the ransomware iterates through *all files* on *all folders* on *all local and mapped network drives* and encrypts certain file types that the user has permissions to modify.

As a security lead for a hospital network, I created the following CryptoWall response plan specifically to deal with impacted department shared drives:

1. Identify the user account that modified (encrypted) the shared drive files.
2. Identify the infected PC and restrict network access.
3. Create inventory of all network share directories impacted.
4. Restore impacted directories from backup.

Identifying the user account in Step 1 can be challenging if you don't know where to look. The best way to identify the user account used to encrypt the files is to examine the "owner" attribute of one of the instruction files created by the ransomware. Here are the steps to identify the owner:

1. Right click on the instructions file (i.e., HELP\_DECRYPT.txt) created by the ransomware on the network share, and select Properties.

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/11/cryptowall-matt-1.png)  
[![cryptowall matt 1](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/11/cryptowall-matt-1.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/11/cryptowall-matt-1.png)

2. Select the *Security* tab --\> *Advanced* --\> *Owner,* and view the *Current Owner attribute*. The Current Owner attribute is likely the username used to encrypt the files in the directory.

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/11/cryptowall-matt-2.png)  
[![cryptowall matt 2](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/11/cryptowall-matt-2.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/11/cryptowall-matt-2.png)  
[![cryptowall matt 3](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/11/cryptowall-matt-3-500x354.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/11/cryptowall-matt-3.png)

Once you know the username used to encrypt the files, you can reset the user's password, attempt to contact the person, and identify the user's assigned PC in order to block it on the network. Once the PC is blocked, the server team can then identify the impacted directories on the network share (Tip: Use PowerScript to identify directories containing the instructions file). Finally, the Backup team can restore the files in all of the identified directories.

For more information on the latest CryptoWall threat, take a look at a [detailed analysis of CryptoWall v3](http://cyberthreatalliance.org/cryptowall-report.pdf) authored by the [Cyber Threat Alliance](http://cyberthreatalliance.org/), cofounded by Palo Alto Networks.

*** ** * ** ***

## Related Blogs

### [Events](https://www.paloaltonetworks.com/blog/category/events/?ts=markdown), [Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown)

[#### FTC Shines a Needed Spotlight on Ransomware Prevention](https://www.paloaltonetworks.com.au/blog/2016/09/ftc-shines-a-needed-spotlight-on-ransomware-prevention/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Malware](https://www.paloaltonetworks.com/blog/category/malware-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Research](https://www.paloaltonetworks.com/blog/category/research/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### From Ransom to Revenue Loss](https://www.paloaltonetworks.com.au/blog/2025/10/from-ransom-to-revenue-loss/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)

[#### Cyber Threat Alliance Expands: Working Together to Prevent Cyber Breaches](https://www.paloaltonetworks.com.au/blog/2017/02/cyber-threat-alliance-expands-working-together-prevent-cyber-breaches/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Predictions](https://www.paloaltonetworks.com/blog/category/predictions/?ts=markdown)

[#### 2017 Cybersecurity Predictions: New Norms Expected in Threat Landscape](https://www.paloaltonetworks.com.au/blog/2016/11/2017-cybersecurity-predictions-new-norms-expected-threat-landscape/)

### [Customer Spotlight](https://www.paloaltonetworks.com/blog/category/customer-spotlight/?ts=markdown), [Real Estate](https://www.paloaltonetworks.com/blog/category/real-estate/?ts=markdown), [Retail](https://www.paloaltonetworks.com/blog/category/retail/?ts=markdown), [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown)

[#### Customer Spotlight: Delta Holding Prevents Ransomware by Upgrading Security Posture](https://www.paloaltonetworks.com.au/blog/2016/10/customer-spotlight-delta-holding-prevents-ransomware-upgrading-security-posture/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown)

[#### The Cybersecurity Download: Ransomware](https://www.paloaltonetworks.com.au/blog/2016/10/the-cybersecurity-download-ransomware/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language