"Yes, the impact is disruption-based, not destructive. The parallel to ransomware is the operational downtime window, not data loss," Kim Dvash of Israel Aerospace Industries told BleepingComputer about a newly released proof-of-concept called GhostLock.
GhostLock and the CreateFileW sharing parameter
GhostLock demonstrates a simple but effective abuse of a legitimate Windows file API. The technique leverages CreateFileW() and, specifically, the dwShareMode parameter that governs what other processes may do with a file while it is opened. When a process opens a file with dwShareMode set to 0, Windows grants exclusive access; other processes attempting to open the same file receive a STATUS_SHARING_VIOLATION error. The researcher’s example shows a handle opened against a network path such as \\server\share\finance.xlsx with dwShareMode = 0, making that file inaccessible to other users or applications while the handle remains active.
How the GhostLock tool operates on SMB shares
Dvash published a GhostLock tool on GitHub that automates the approach by recursively opening large numbers of files on SMB network shares. While those file handles remain open, new access attempts produce sharing violations and fail. The tool does not require elevated privileges: it can be run by “standard” domain users. The disruption can be amplified if an attacker runs the tool from multiple compromised devices simultaneously and continuously reacquires file handles as previous processes end.
Transient disruption and automatic recovery
GhostLock is primarily a disruption technique rather than a destructive one. According to the researcher, access is automatically restored when the associated SMB session is terminated, when the GhostLock processes are killed, or when the affected system is rebooted; Windows closes the handles and files become available again. That transient nature is why Dvash frames the impact in operational terms — downtime, not data loss.
How attackers might use GhostLock in operations
Beyond pure denial-of-service, Dvash warns GhostLock could serve as a decoy or force-multiplier during intrusions. Widespread file-access disruptions could be used to overwhelm IT staff and incident-response teams while attackers pursue lateral movement, data theft, or other malicious activity elsewhere in an environment. The technique’s value to a malicious operator comes in part from its noisiness on file access combined with apparent legitimacy: GhostLock produces large volumes of valid file-open requests rather than anomalous mass writes or encryption operations.
Detection limitations and defender guidance
Detecting GhostLock is nontrivial because it relies on legitimate API calls. As Dvash puts it, "The only observable that reliably identifies this attack is the per-session open-file count with ShareAccess = 0 at the file server layer — a metric that lives inside storage platform management interfaces, not in Windows event logs, not in EDR telemetry, not in network flow data." Many security products and behavioral systems prioritize detection of mass file writes or encryption; GhostLock instead generates high volumes of ordinary file opens, making it less likely to trigger those detection patterns.
To assist defenders, the researcher has shared SIEM queries and a network-detection (NDR) rule in the GhostLock whitepaper that teams can use as templates for creating their own detections. Those artifacts provide a starting point for instrumenting the file-server layer or storage management interfaces where the reliable observable — per-session counts of open files with ShareAccess = 0 — can be measured.
What this means for technologists, affected enterprises, and adversaries
- Technologists and security teams: Monitor open-file counts at the file-server or storage layer and consider integrating the SIEM queries and NDR rule templates from the GhostLock whitepaper into detection pipelines.
- Affected enterprises and procurement leaders: Recognize that standard user accounts can trigger this disruption and evaluate whether existing monitoring covers per-session file-handle metrics on SMB shares.
- Adversaries and incident responders: The technique is attractive as a high-impact, reversible disruption and as a possible decoy; responders should account for the possibility of simultaneous, distributed reacquisition of handles across compromised endpoints.
GhostLock is not a novel exploit in the sense of unknown vulnerabilities; it repurposes a documented API behavior to create operational disruption. That combination — legitimate functionality used for malice, automated at scale, and observable primarily at storage-layer metrics — frames the practical risk: short-lived but wide-reaching availability outages that can distract or slow an organization’s response. Defenders who can instrument the file-server layer and apply the whitepaper’s detection templates will be best positioned to spot the pattern before an incident forces a reboot or session termination to restore access.
