Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
ClickLock macOS Stealer Kills Apps, Forces Password Entry
July 17, 2026
Top 10 Identity Threat Detection and Response (ITDR) Solutions for 2026
July 17, 2026
GPT-5.6 Codex Bug Deletes Files From Home Directories
July 17, 2026
Home/CyberSecurity News/GhostLock Attack Exploits Windows SMB to Lock Files
CyberSecurity News

GhostLock Attack Exploits Windows SMB to Lock Files

Key Takeaways A new technique called GhostLock exploits standard Windows SMB file-sharing to render files inaccessible without encryption. It achieves business disruption similar to ransomware by...

Jennifer sherman
Jennifer sherman
May 11, 2026 5 Min Read
57 0

Key Takeaways

  • A new technique called GhostLock exploits standard Windows SMB file-sharing to render files inaccessible without encryption.
  • It achieves business disruption similar to ransomware by exclusively locking files, preventing any other access.
  • The attack leverages a fundamental, unpatchable Windows feature (CreateFileW API with dwShareMode=0), meaning no CVE is assigned.
  • GhostLock evades most conventional ransomware defenses, as it performs no write operations, making detection challenging.
  • Mitigation requires monitoring for anomalous numbers of exclusive file handles per SMB session and establishing coordinated SecOps/StorageOps incident response.

GhostLock: A New Paradigm in File Share Disruption

While traditional ransomware encrypts data and demands payment, a recently unveiled technique named GhostLock introduces a novel approach to achieving similar business disruption without altering a single byte on disk. This method focuses on denying access rather than encrypting files, presenting a significant challenge to existing cybersecurity defenses.

Table Of Content

  • Key Takeaways
  • GhostLock: A New Paradigm in File Share Disruption
  • Technical Underpinnings of the Attack
  • GhostLock Attack at Scale
  • Evasion of Conventional Defenses
  • Recovery Challenges and Recommendations
  • What You Should Do

Discovered by Kim Dvash, an Offensive Security Team Leader, GhostLock exploits fundamental behaviors within Windows file-sharing protocols to induce widespread accessibility failures. By systematically holding files in an exclusively locked state, a low-privileged domain user with standard read permissions can effectively paralyze corporate Server Message Block (SMB) file shares.

From a victim’s perspective, the impact of GhostLock is functionally indistinguishable from a ransomware attack. Critical files become unavailable, enterprise resource planning (ERP) applications may crash, and shared workflow pipelines fail, necessitating specialized intervention to restore normal operations.

Technical Underpinnings of the Attack

The GhostLock technique leverages a well-documented and core behavior of the Windows operating system. By invoking the CreateFileW API and setting the dwShareMode parameter to 0x00000000, any authenticated domain user can acquire an exclusive deny-share handle on a file over SMB. This action prevents any other process or network client from opening that specific file for any purpose—be it reading, writing, or deleting—until the handle is either voluntarily released or forcibly terminated by a storage administrator.

This behavior triggers a STATUS_SHARING_VIOLATION (0xC0000043) error for all subsequent access attempts. It’s important to note that this attack surface is not new; the CreateFileW API with dwShareMode = 0 is the same mechanism Microsoft Office uses when opening a document for editing. This functionality has been present since Windows NT 3.1. Consequently, no CVE has been filed for GhostLock, as it exploits an intended, albeit potentially misused, operating system feature rather than a software defect requiring a patch.

GhostLock Attack at Scale

The GhostLock implementation utilizes a Python ctypes wrapper to execute the critical API call, requiring no administrative privileges or external dependencies. To scale this attack across an enterprise Network Attached Storage (NAS) environment, it employs a 32-thread parallel work-stealing scanner. This scanner optimizes SMB2 QUERY_DIRECTORY round-trips, drastically reducing the time required for file discovery. For instance, on a file share containing 500,000 files, the discovery time was cut from over 61 minutes to approximately 6 minutes and 22 seconds.

In isolated infrastructure tests, the acquisition of exclusive handles across 500,000 files was completed in just 2 minutes and 37 seconds, achieving an impressive 99.6% lock success rate. During a 60-second hold period, victim simulations recorded a 99.8% file access block rate. A single SMB session can concurrently hold up to 64,000 exclusive handles, meaning ten parallel sessions could accumulate over 500,000 locked handles, sufficient to incapacitate a substantial portion of an entire enterprise NAS deployment.

Evasion of Conventional Defenses

One of the most concerning aspects of GhostLock is its ability to bypass nearly all conventional ransomware defense layers. The research evaluated the tool against seven categories of enterprise security controls, with alarming results:

  • Honeypot/canary files: Produced zero alerts because canaries typically trigger on write events, and GhostLock performs no write operations.
  • Write-rate anomaly detectors: Generated zero alerts as the monitored metric (write operations) is entirely absent from GhostLock’s activity.
  • Behavioral AI ransomware engines: Also produced zero alerts, as GhostLock’s read-open profile is indistinguishable from legitimate activities like a search indexer or backup pre-scan agent.
  • Commercial EDR agents: Exhibited zero alerts, as the system call profile mirrors common actions such as Microsoft Word opening documents.
  • NDR/deep packet inspection: Showed zero alerts, with SMB2 traffic consisting only of CREATE and CLOSE requests, identical to normal document access.
  • SIEM correlation rules: Produced zero alerts, as no existing rulesets are designed to monitor per-session exclusive handle accumulation.

The only reliable detection signal identified resides within the NAS management layer itself: the per-session count of simultaneously held exclusive handles. The research highlights that a legitimate single-user application rarely holds more than a few dozen exclusive handles concurrently, whereas GhostLock accumulates tens of thousands. However, this critical metric is not typically ingested by enterprise SIEMs, as noted in the study.

Recovery Challenges and Recommendations

Even after detection, recovery from a GhostLock attack is not straightforward. Terminating the offending SMB session requires specific storage administration expertise. In many large enterprises, storage operations and security operations teams function independently, often lacking pre-built joint runbooks for such incidents. Tabletop exercises without a pre-existing runbook estimated a mean time to recovery of 4 to 8 hours.

Furthermore, if an attacker’s Active Directory credentials are revoked, the existing authenticated SMB session and all its associated locks can persist for an additional 15 to 60 minutes, depending on platform configuration, before the session times out.

Dvash urges NAS vendors to expose per-session exclusive-handle counts as standard security telemetry, integrated with existing syslog outputs. He also calls on SIEM vendors to develop storage platform integrations capable of ingesting this crucial data.

The GhostLock tool and its source code are publicly available at github.com/kimd155/ghostlock, with further research details on the companion site at ghostlock.io.

What You Should Do

  • Implement Anomaly Detection for Exclusive Handles: Configure alerts for any single SMB session accumulating more than 500 exclusive handles. This threshold can be adjusted based on your environment’s typical usage.
  • Enhance Network Detection and Response (NDR): Establish an NDR rule to flag bulk SMB CREATE requests that are not followed by corresponding WRITE operations within a defined time window (e.g., 30 minutes).
  • Develop Joint SecOps/StorageOps Runbooks: Create and regularly test a specific incident response runbook for NAS session termination, ensuring seamless coordination between security and storage administration teams.
  • Pressure Vendors for Telemetry Improvements: Advocate for NAS vendors to expose per-session exclusive-handle counts as standard security telemetry and for SIEM vendors to integrate this data.
  • Review Active Directory Session Timeouts: Evaluate and potentially reduce SMB session timeout configurations to minimize the persistence of malicious locks after credential revocation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchransomwareSecurity

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Hackers Use Weaponized JPEG File to Deploy Trojanized ScreenConnect Malware

Next Post

Hugging Face Repository Executes Malware on Windows Machines

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Linus Torvalds Clarifies Linux Kernel’s Stance on AI Development
July 17, 2026
7-Zip Critical Vulnerability Exposes Millions to Remote Code Execution
July 17, 2026
Two Hackers Jailed for Hacking 148 TfL Systems, Forcing 27,000 Staff Password Resets
July 17, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us