New GhostLock Tool Abuses Windows API to Block File Access

What happened

A security researcher has published a proof-of-concept tool called GhostLock that demonstrates how the legitimate Windows CreateFileW API can be abused to block access to files on local systems and SMB network shares without requiring elevated privileges. The tool and accompanying whitepaper were released publicly along with detection guidance to help defenders build appropriate monitoring capabilities.

GhostLock exploits the dwShareMode parameter in the CreateFileW function. When a file is opened with dwShareMode set to zero, Windows grants the process exclusive access, preventing any other user or application from opening it. Attempts by other processes to access the file return a STATUS_SHARING_VIOLATION error. The tool automates this by recursively opening large numbers of files across SMB shares, holding the handles open to sustain the access block. The attack runs with standard domain user privileges and no elevation required. The disruption persists until the SMB session is terminated, the GhostLock processes are killed, or the affected system is rebooted, at which point Windows automatically releases the handles and restores access.

The researcher characterizes the technique as disruption-based rather than destructive, noting the parallel to ransomware is operational downtime rather than data loss. The researcher also highlighted a secondary concern: attackers could use widespread file-access disruptions as a decoy to overwhelm IT staff while conducting data theft, lateral movement, or other malicious activity elsewhere in the environment. Most security products and EDR tools focus on detecting mass file writes or encryption operations, making GhostLock’s pattern of legitimate file open requests harder to flag through standard detection channels. The researcher noted the only reliable detection metric is per-session open-file count with ShareAccess set to zero at the file server layer, a metric found in storage platform management interfaces rather than Windows event logs or EDR telemetry. The researcher published SIEM queries and an NDR detection rule in the GhostLock whitepaper as detection templates.

Who is affected

Any organization with SMB file shares accessible to domain users is potentially exposed. The attack requires only standard domain credentials, meaning any compromised user account can be used to execute it without needing to escalate privileges first.

Why CISOs should care

GhostLock creates operational disruption equivalent to ransomware in terms of file access downtime, without any of the destructive indicators that trigger most security tooling. No encryption, no mass file writes, no known malicious signatures. The attack generates only legitimate Windows file open requests at volume, which fall entirely outside the detection patterns most organizations have built their ransomware response around.

The decoy use case is also worth taking seriously. A sudden loss of file access across an organization is the kind of event that floods IT helpdesks and consumes security team attention quickly, providing meaningful cover for concurrent malicious activity that might otherwise be caught.

3 practical actions

Implement per-session open-file count monitoring at the file server layer: The researcher identified this as the only reliable detection indicator. Review whether your storage platform management interfaces expose per-session open-file metrics with ShareAccess zero filtering, and configure alerting for sessions holding anomalously large numbers of exclusive file handles simultaneously.

Use the SIEM queries and NDR detection rules published in the GhostLock whitepaper as a detection baseline: The researcher has provided ready-to-use detection templates. Implement these in your SIEM and network detection platforms as a starting point and tune them to your environment’s normal file access patterns.

Assess SMB share access controls and limit which accounts can open large numbers of files concurrently: Review whether standard domain users require broad read access to large SMB share directories, and consider implementing access controls that limit the scope of what a single compromised account can reach. Session-level rate limiting on file handle creation at the server layer can also reduce the impact of a GhostLock-style attack if prevention is not possible.