I have a small network with about 15 workstations connecting to a server. They have mapped drives to shared directories on the server. Something infected with Cryptowall is encrypting files in the shared directories. We are having trouble identifying which machine is infected and doing the encrypting. I am looking for ideas on how to identify the infected machine. I have tried using Process Monitor from sysinternals and looking through the logs to see who is touching the affected files but I did not have much luck. I looked at Openfilesview from NirSoft but it does not show the user who has the file open. The manage open files console in Windows does show the user but does not give a real time view or save a log. Is there something specific in the network traffic I could look for in Wireshark? Open to any ideas.