Cybersecurity experts have identified a new attack technique called “GhostLock,” which can deliver ransomware-like disruption without encrypting any data. Instead of using encryption, the method abuses legitimate Windows operating system behavior to make files completely inaccessible to other users and processes, effectively paralyzing enterprise file-sharing environments.
The technique was discovered by Offensive Security Team Leader Kim Dvash, who highlighted that GhostLock exploits long-standing and well-documented Windows file-handling mechanisms. Researchers warn that this can lead to severe availability disruption across organizations relying on SMB-based file-sharing infrastructure.
Registration Begins for FutureCrime Summit 2026, India’s Largest Cybercrime Conference
Windows SMB Functionality Exploited
GhostLock leverages Microsoft Windows SMB file-sharing functionality. The attacker uses the CreateFileW API in a way that forces files into an “exclusive lock” state, preventing any other process from accessing them.
This is achieved by setting the parameter dwShareMode = 0, which blocks all simultaneous access to the file. As a result, any attempt to read, modify, or delete the file fails and triggers a STATUS_SHARING_VIOLATION error.
Crucially, this technique does not require administrator privileges. A low-privileged domain user with standard access rights can execute it over SMB, making it particularly dangerous in enterprise environments where internal access is often broadly distributed.
Although GhostLock does not encrypt files, the operational impact mirrors traditional ransomware attacks. Critical enterprise systems such as ERP platforms, shared storage servers, and internal workflow applications can suddenly become unusable.
From an operational standpoint, organizations experience complete disruption of file access. However, unlike ransomware, there is no decryption demand. Instead, recovery depends on forcibly releasing locked sessions or terminating the malicious SMB connections.
Thousands of Files Locked Within Minutes
Research indicates that GhostLock can lock thousands of files within minutes using multi-threaded scanning and parallel SMB requests. In large environments containing hundreds of thousands of files, this can result in widespread operational paralysis very quickly.
A single SMB session can hold thousands of exclusive file handles at once. When multiple sessions are combined, attackers can effectively lock down entire network-attached storage systems, severely impacting business continuity and productivity.
One of the most concerning aspects of GhostLock is its ability to evade conventional security defenses. It does not modify or write files, so ransomware detection tools are not triggered. No encryption is used, so cryptographic anomaly detection remains inactive.
Network traffic appears legitimate, resembling normal SMB file operations, while EDR and SIEM tools often lack dedicated detection rules for excessive exclusive-handle usage. Because of this, the attack can remain largely undetected within standard enterprise monitoring frameworks.
Behaviour Analytics as Critical Defence
Experts caution that recovery is complex and often requires storage-level administrative intervention. Terminating malicious SMB sessions is not always immediate and may require coordination across different operational teams.
In many organizations, security operations and storage management teams work independently, which can significantly delay response efforts. As a result, recovery time can range between 4 to 8 hours, and in complex enterprise environments, it may take even longer to fully restore operations.
Highlighting the seriousness of such non-encryption-based attacks, renowned cyber crime expert and former IPS officer Prof. Triveni Singh stated, “The biggest shift we are seeing in modern cyber attacks is the move away from encryption-based ransomware to disruption-based models. Techniques like GhostLock exploit legitimate system behavior, making detection extremely difficult. Organizations must rethink their security monitoring approach and focus more on behavior analytics and system-level telemetry rather than just malware signatures.”
Security researchers recommend alerting when a single SMB session accumulates unusually high numbers of exclusive file handles, monitoring large-scale file access patterns without corresponding write operations, establishing joint incident response protocols between security and storage teams, and enabling NAS-level telemetry to track per-session handle usage in real time.
Improving visibility into SMB session behavior is considered critical for early detection of such attacks.
GhostLock represents a major evolution in cyberattack techniques, where attackers no longer rely solely on encryption or data theft. Instead, they exploit system availability mechanisms to achieve the same disruptive outcomes.
