There's always a way to stop the Ultrasurf but you need to invest some money to do it. If not then Cat and Mouse chase will prevail.
To block/filter Ultrasurf and other SSL tunnel activity. You must have the following:
1. ISA Server
If you have a spare box then you can try it for 30 days.
ISA Tips/Tools/Add-Ons: http://www.isaserver.bm/Summary of Steps to Take to Block Ultrasurf
1. At the firewall, block all outbound DNS requests to unauthorized external DNS servers – or – request the list of known Ultrasurf DNS servers and block only those. Ensure that authorized DNS traffic is allowed, including outbound traffic from your internal DNS servers to upstream DNS servers.
2. At the web filter, block docs.google.com by IP address and make sure HTTPS filtering is on.
3. At the web filter, block the Proxy category and make sure that proxy pattern detection is enabled.
4. Remove Ultrasurf cache files in user temp directories – and/or – at the firewall, block the IP ranges of problematic home computer netblocks