• Home
  • cyber
  • Microsoft: GhostLock Attack Leverages Windows file-sharing to Lock Files Access Like Ransomware
cyber Ransomware

Microsoft: GhostLock Attack Leverages Windows file-sharing to Lock Files Access Like Ransomware

May 11, 2026 3 min read
Microsoft: GhostLock Attack Leverages Windows file-sharing to Lock Files Access Like Ransomware

GhostLock: A Stealthy Ransomware Alternative That Paralyzes Enterprise Networks Without Encryption

A newly uncovered attack technique, GhostLock, demonstrates how adversaries can cripple enterprise networks without encrypting a single file. Discovered by Kim Dvash, Offensive Security Team Leader, the method exploits a fundamental Windows behavior to lock files en masse, rendering critical systems inaccessible mirroring the impact of traditional ransomware but evading all conventional defenses.

How GhostLock Works

GhostLock leverages the CreateFileW API with a dwShareMode setting of 0x00000000, a standard Windows function that grants an exclusive deny-share handle on files over Server Message Block (SMB). This means any authenticated domain user even with low privileges can lock files, preventing all other processes (including read, write, or delete operations) from accessing them until the handle is released or terminated by an administrator.

The attack scales rapidly using a 32-thread parallel scanner, reducing file discovery on a 500,000-file share from over an hour to just 6 minutes and 22 seconds. In experimental tests, GhostLock locked 99.6% of files in under 3 minutes, with a 99.8% access block rate during a 60-second hold. A single SMB session can hold 64,000 exclusive handles, and with 10 parallel sessions, an attacker can lock over 500,000 files enough to paralyze an entire enterprise NAS.

Why GhostLock Evades Detection

Unlike traditional ransomware, GhostLock does not write to disk, making it invisible to standard security controls:

  • Honeypot/canary files (triggered by write operations) fail to detect it.
  • Write-rate anomaly detectors (monitoring disk activity) register no alerts.
  • Behavioral AI ransomware engines misclassify it as legitimate activity (e.g., a search indexer or backup agent).
  • EDR agents see only CreateFileW calls, identical to Microsoft Word opening documents.
  • NDR/deep packet inspection detects only SMB2 CREATE/CLOSE requests, indistinguishable from normal file access.
  • SIEM correlation rules lack visibility into per-session exclusive handle counts, the only reliable detection metric.

The only detectable anomaly is a single SMB session accumulating thousands of exclusive handles a behavior rarely seen in legitimate applications. However, most NAS vendors do not expose this telemetry, and SIEMs lack integrations to monitor it.

Recovery Challenges

Even after detection, remediation is difficult:

  • Terminating the malicious SMB session requires storage administration expertise, often siloed from security teams.
  • Without pre-built runbooks, recovery takes 4–8 hours in tabletop exercises.
  • If the attacker’s Active Directory credentials are revoked, the session (and its locks) may persist for 15–60 minutes before timing out.

Defensive Recommendations

The research urges NAS vendors to expose per-session exclusive-handle counts in security logs and SIEM vendors to ingest this data. Immediate mitigations include:

  • Alerting on SMB sessions with >500 exclusive handles.
  • NDR rules for bulk SMB CREATE requests without corresponding WRITE operations over 30 minutes.
  • Joint SecOps/StorageOps runbooks for rapid session termination.

GhostLock’s source code and research are publicly available on GitHub and ghostlock.io, highlighting a new frontier in file-locking attacks that bypass traditional ransomware defenses.

Source: https://cybersecuritynews.com/ghostlock-attack/

Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-threat-intelligence

"id": "mic1778502243",
"linkid": "microsoft-threat-intelligence",
"type": "Ransomware",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'type': 'Enterprise'}],
 'attack_vector': 'Exploitation of Windows CreateFileW API with '
                  'dwShareMode=0x00000000 over SMB',
 'description': 'A newly uncovered attack technique, GhostLock, demonstrates '
                'how adversaries can cripple enterprise networks without '
                'encrypting a single file. The method exploits a fundamental '
                'Windows behavior to lock files en masse, rendering critical '
                'systems inaccessible, mirroring the impact of traditional '
                'ransomware but evading all conventional defenses.',
 'impact': {'downtime': '4–8 hours (recovery time in tabletop exercises)',
            'operational_impact': 'Paralyzes enterprise networks, prevents '
                                  'access to critical files',
            'systems_affected': 'Enterprise NAS, critical file shares'},
 'lessons_learned': 'GhostLock evades traditional ransomware defenses by not '
                    'writing to disk, highlighting the need for improved '
                    'telemetry and cross-team runbooks.',
 'post_incident_analysis': {'corrective_actions': 'Improved logging, '
                                                  'cross-team runbooks, '
                                                  'enhanced monitoring for SMB '
                                                  'session anomalies.',
                            'root_causes': 'Exploitation of Windows '
                                           'CreateFileW API with exclusive '
                                           'deny-share handles, lack of '
                                           'telemetry for per-session '
                                           'exclusive handles in NAS/SIEM '
                                           'systems.'},
 'ransomware': {'data_encryption': 'No (files are locked, not encrypted)'},
 'recommendations': ['NAS vendors should expose per-session exclusive-handle '
                     'counts in security logs.',
                     'SIEM vendors should ingest exclusive-handle telemetry.',
                     'Implement alerting on SMB sessions with >500 exclusive '
                     'handles.',
                     'Deploy NDR rules for bulk SMB CREATE requests without '
                     'corresponding WRITE operations over 30 minutes.',
                     'Develop joint SecOps/StorageOps runbooks for rapid '
                     'session termination.'],
 'references': [{'source': 'GitHub',
                 'url': 'https://github.com/kimd155/ghostlock'},
                {'source': 'GhostLock Research',
                 'url': 'https://ghostlock.io'}],
 'response': {'containment_measures': 'Terminating malicious SMB session, '
                                      'revoking Active Directory credentials',
              'enhanced_monitoring': 'Alerting on SMB sessions with >500 '
                                     'exclusive handles, NDR rules for bulk '
                                     'SMB CREATE requests without '
                                     'corresponding WRITE operations',
              'remediation_measures': 'Joint SecOps/StorageOps runbooks for '
                                      'rapid session termination'},
 'title': 'GhostLock: A Stealthy Ransomware Alternative That Paralyzes '
          'Enterprise Networks Without Encryption',
 'type': 'File-Locking Attack',
 'vulnerability_exploited': 'Exclusive deny-share handle via CreateFileW API'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.