Published May 7, 2026 | Version v1

GhostLock: SMB Deny-Share Handles as a Zero-Privilege Availability Weapon

Authors/Creators

  • 1. Independent Security Researcher

Description

Traditional ransomware disrupts organizations by encrypting data and demanding payment for decryption keys. This paper presents a fundamentally different availability attack that achieves the same business disruption without writing a single encrypted byte to disk.

By calling the Windows API CreateFileW with dwShareMode set to zero, a low-privileged domain user with standard read access to a corporate SMB file share can hold files in an exclusively locked state for an indefinite duration. The result is identical to ransomware from the victim's perspective: critical files become inaccessible, ERP and workflow systems fail, and recovery requires specialist intervention.

The difference is what the attack does not produce. No writes. No renames. No new file extensions. No encryption overhead. No C2 infrastructure. Every behavioral ransomware defense in the modern enterprise stack is completely blind to it. The only reliable detection signal sits inside the file server itself, in a metric that virtually no enterprise SIEM currently ingests.

No CVE. No patch. This is documented Windows behavior, working exactly as designed for 30 years. The GhostLock tool demonstrates this technique, developed and tested under explicit written authorization during an authorized red team engagement.

Files

ghostlock_whitepaper.pdf

Files (54.3 kB)

Name Size Download all
md5:c64df435515814f83cf09fd7b2463b32
54.3 kB Preview Download

Additional details

Software

Repository URL
https://github.com/kimd155/ghostlock
Programming language
Python
Development Status
Active