Symantec has multiple articles with some helpful stuff:
Ransomware removal and protection with Symantec Endpoint Protection
Additional information about Ransomware threats
Preventing ransomware attacks with Download Insight
Application control is really helpful and does a great but as you've seen it will take tuning to get it to what works for you. Using System Lockdown (whitelisting) is another option, but again, much tuning may be needed to start.
If ADC or System Lockdown are not much of an option than make sure you have your AV policy set to be more secure, may need to kick Download Insight up a notch or two (more false positives potentially), use SONAR, and IPS as well.
There are options outside of SEP as well:
https://community.spiceworks.com/topic/396103-cryptolocker-prevention-kit-updated
What does your perimeter look like? Mail gateway scanning, NIPS, firewall in place and tuned?