GhostLock Tool Abuses Windows APIs to Block Access to SMB Files

A security researcher has released a proof-of-concept tool called GhostLock that shows how legitimate Windows file APIs can be abused to make local and SMB-shared files temporarily inaccessible.

The research, created by Kim Dvash of Israel Aerospace Industries, focuses on the Windows CreateFileW() API and its dwShareMode parameter. By opening files with dwShareMode = 0, an attacker can request exclusive access and block other users or applications from opening the same files.

How GhostLock works

When GhostLock keeps file handles open, affected users may see STATUS_SHARING_VIOLATION errors. The files do not need to be encrypted, deleted, or modified. They simply remain unavailable while the exclusive handles stay active.

The tool can recursively open large numbers of files across SMB network shares. It can also continuously reacquire file handles, making recovery harder if defenders only close some sessions or restart affected applications.

The most concerning detail is that the technique reportedly does not require administrator privileges. A standard domain user account could carry out the attack if it has access to the targeted shared files.

Why this is not ransomware

GhostLock does not behave like traditional ransomware. It does not encrypt files or demand payment. Instead, it creates disruption by abusing normal file-locking behavior inside Windows.

Access returns when the SMB session ends, the GhostLock process stops, or the system reboots. Windows then closes the active file handles and releases the locked files.

Even so, the operational impact could be serious. In a business environment, locked shared files could disrupt finance teams, legal departments, production workflows, or any service that relies on shared storage.

Detection may be difficult

The attack mainly generates legitimate file-open requests, which makes it harder to catch with tools that focus on encryption, mass file writes, or suspicious file modifications.

Dvash recommends watching for large numbers of open files with ShareAccess = 0. However, this signal may appear more clearly at the file server or storage management layer than in standard Windows event logs, EDR telemetry, or network flow data.

The researcher also published defensive material, including SIEM detection queries, NDR detection rules, and whitepaper templates to help organizations test their exposure.

Why it matters

GhostLock shows that attackers do not always need malware that destroys or encrypts data. They can also weaponize legitimate Windows functionality to create outages, distract IT teams, and buy time during an intrusion.

A disruption like this could act as a decoy while attackers steal data, move laterally, or expand access elsewhere in the network.

The research follows other recent security developments, including reports of a TCLBanker Trojan spreading through WhatsApp and Outlook, and a fake OpenAI Privacy Filter repository used to distribute malware. OpenAI has also released GPT-5.5-Cyber in a limited preview for security defenders working against emerging threats.

Via Bleeping Computer