GhostLock Locks 500K Files in 3 Minutes Without Encryption

A security researcher has released GhostLock, a proof-of-concept tool demonstrating how legitimate Windows file APIs can create ransomware-like impact without any encryption. The tool can lock half a million files on a corporate network share in under three minutes, evades all tested behavioral detection systems, and requires no elevated privileges.

The technique—created by Kim Dvash of Israel Aerospace Industries—abuses the CreateFileW API's sharing mode parameter to claim exclusive access to files. Users who attempt to open locked files receive a STATUS_SHARING_VIOLATION error. The files remain intact but completely inaccessible until the attacker's handles are released.

TL;DR

• What happened: New PoC tool demonstrates file-locking attack that mimics ransomware impact
• Who's affected: Any Windows environment with SMB file shares
• Severity: High - evades all tested EDR products, requires no admin privileges
• Action required: Deploy storage-layer monitoring for abnormal file-locking patterns

How GhostLock Works

The attack exploits a fundamental Windows file-sharing behavior rather than any vulnerability. When opening a file with CreateFileW, the dwShareMode parameter controls what access other processes can have:

• FILE_SHARE_READ - Others can read the file
• FILE_SHARE_WRITE - Others can write to the file
• FILE_SHARE_DELETE - Others can delete the file
• dwShareMode = 0 - Exclusive access, no sharing

According to BleepingComputer, "When a file is opened with dwShareMode = 0, Windows grants the process exclusive access to the file, preventing other users or applications from opening it."

GhostLock automates this at scale:

1. Recursively enumerate files on SMB shares
2. Open each file with exclusive sharing mode
3. Maintain handles across multiple processes
4. Optionally coordinate attacks from multiple compromised systems

Standard domain users can execute the tool—no privilege escalation required. The attacker just needs read access to the target shares.

Why EDR Doesn't See It

Traditional behavioral detection focuses on ransomware indicators: mass file writes, encryption operations, file extension changes, ransom note creation. GhostLock does none of these things.

As Dvash explained in the research paper, the tool "primarily generates large numbers of legitimate file open requests." Every API call is individually benign. The malicious behavior only emerges at scale.

All commercial behavioral AI products tested in the research produced zero alerts. This includes leading EDR solutions that claim ransomware protection.

Detection requires monitoring "per-session open-file count with ShareAccess = 0 at the file server layer"—metrics typically found in storage management interfaces rather than Windows event logs or network flow data.

Attack Scenarios

The researcher characterizes GhostLock as "disruption-based, not destructive." Unlike ransomware attacks, no data is actually modified or encrypted. But the operational impact can be severe:

Operational disruption: Critical business files become inaccessible. Finance can't process invoices, engineering can't access designs, legal can't retrieve contracts. Every department with files on affected shares stops working.

Tactical cover: An attacker conducting data theft or lateral movement could trigger GhostLock as a distraction. While IT scrambles to restore file access, the real operation continues unnoticed.

Extortion without encryption: Attackers could demand payment to release the file handles, achieving ransomware-like leverage without the technical complexity of encryption or decryption key management.

IT resource exhaustion: Overwhelming helpdesk with access complaints during a more serious intrusion.

Recovery Is Simple—Once You Know

The good news: recovering from a GhostLock attack is trivial compared to ransomware. Files aren't damaged or encrypted. Once the attacker's handles are released, normal access resumes immediately.

Handles are released when:

• The SMB session is terminated
• The GhostLock processes are killed
• The attacking system is rebooted
• Network connectivity to the share is severed

Identifying which system holds the handles requires storage-level visibility. Windows Server's Resource Monitor or the openfiles command can show open handles, but may not scale well in large environments.

Detection Recommendations

1. Monitor storage platform metrics for abnormal file-locking patterns—look for single sessions holding thousands of exclusive handles

2. Deploy SIEM queries from the GhostLock whitepaper targeting ShareAccess=0 at scale

3. Implement NDR rules for SMB sessions opening unusual numbers of files in exclusive mode

4. Review SMB configurations to ensure logging captures sufficient detail for forensic analysis

5. Test your detection by running GhostLock in a lab environment against your monitoring stack

Why This Matters

GhostLock exposes a gap between vendor marketing and reality. Every major EDR claims ransomware protection, yet a technique that achieves ransomware-like disruption evades all of them.

The research also highlights how threat actors think. If encryption is what triggers detection, they'll find ways to achieve their goals without encryption. If mass file modifications generate alerts, they'll manipulate access control instead.

This pattern extends beyond GhostLock. We've seen similar evasion techniques emerge across the threat landscape as attackers study—and specifically design around—security product behavior.

Organizations relying solely on endpoint detection for ransomware protection should consider whether their storage infrastructure has adequate visibility into file-access anomalies. The detection gap exists at the layer between endpoint and storage—and that's exactly where GhostLock operates.

Frequently Asked Questions

Is GhostLock malware? It's a proof-of-concept research tool, not malware distributed in attacks. However, the technique it demonstrates could be weaponized by threat actors. The researcher released it to help defenders understand the gap in their detection coverage.

Does this work against cloud storage? GhostLock specifically targets Windows SMB shares. Cloud storage platforms like OneDrive, SharePoint Online, or Google Drive have different architectures that wouldn't be affected by this technique.

Can antivirus detect GhostLock? Traditional signature-based antivirus won't detect GhostLock because it uses only legitimate Windows API calls. Behavioral detection also fails because the individual actions aren't malicious—only the aggregate pattern is.