No Encryption Needed: New “GhostLock” Technique Weaponizes Windows SMB to Freeze Enterprise Files

Security researchers have unveiled a novel defensive bypass that allows any low-privileged domain user to lock down an entire enterprise network’s files instantly—without writing a single line of code, modifying extensions, or encrypting data.

A newly published whitepaper by offensive security team leader Kim Dvash has introduced GhostLock, a zero-privilege availability weapon that turns native Windows file-sharing mechanics against corporate networks. The technique completely upends how modern enterprise security tools monitor for ransomware, creating a structural blind spot that affects virtually every business utilizing Network-Attached Storage (NAS) or Server Message Block (SMB) architectures.

For years, the multi-billion-dollar cybersecurity industry has built defenses tailored to intercept the specific mechanical indicators of ransomware: unexpected bulk file modification, high-entropy writes signaling encryption, and mass extension renames. GhostLock proves that the core objective of a ransomware attack—denying an organization access to its data—can be achieved seamlessly by abusing standard operating system functions.

“We present GhostLock, a technique and accompanying open-source proof-of-concept tool demonstrating that a low-privileged Windows domain user with standard read access to an SMB file share can produce ransomware-equivalent organizational availability impact without writing, renaming, or encrypting any data,” reads the research.

The entire attack surface relies on a single, correctly implemented Windows API call: CreateFileW, invoked with a share mode parameter set to absolute zero (0x00000000).

When a standard application, such as Microsoft Word, opens a file for editing, it requests an exclusive handle to preserve file integrity. The Windows I/O Manager and network redirectors pass this request down to the storage layer, which is legally obligated by protocol specifications to honor it.

By systematically automating this process using a high-speed, parallel 32-thread scanner, GhostLock can traverse a network drive and acquire hundreds of thousands of these exclusive handles in under ten minutes.

Any subsequent application or user attempting to access the affected files is immediately locked out, encountering a native STATUS_SHARING_VIOLATION (0xC0000043) failure.

Because the files themselves are completely untouched, behavioral AI agents, honeypot canary files, and network detection platforms see the traffic as entirely benign.

“Critically, the technique produces zero disk writes, zero file renames, zero extension changes, and zero encryption-related I/O—the precise signals upon which every modern behavioral ransomware defense is predicated,” the researcher notes.

Unlike traditional security flaws, GhostLock does not exploit a software bug, misconfiguration, or memory corruption vulnerability. It utilizes mandatory, documented features dating back to Windows NT 3.1. As a result, security teams face a unique engineering roadblock.

“No software vulnerability is exploited; the behavior is correct, mandatory, and cannot be restricted without breaking fundamental file integrity semantics across the Windows ecosystem,” the researcher wans.

If an administrator attempts to globally restrict users from requesting exclusive file handles, fundamental office workflows, databases, and enterprise software pipelines across the organization will instantly break. No CVE patch can or will be issued to mitigate this behavior.

The research validated GhostLock’s evasion against primary commercial security controls, noting that endpoint detection and response (EDR) agents see a script opening remote files for reading as identical to an authorized background backup client or search indexer.

The whitepaper notes that the single source of truth for defenders lies within the storage platform session tables themselves. NAS systems actively maintain records of every open handle, meaning a single user holding thousands of concurrent exclusive handles stands out as an obvious anomaly. However, this data is rarely piped into security information and event management (SIEM) systems.

To bridge this gap, Dvash recommends implementing storage-layer telemetry rules that actively alert when a single SMB session accumulates more than 500 simultaneous exclusive handles. Furthermore, security teams must build joint response runbooks alongside storage operations teams to ensure rogue sessions can be terminated at the NAS management layer immediately during an incident.