VYPR
researchPublished May 11, 2026· Updated May 17, 2026· 1 source

GhostLock Tool Abuses Windows API to Disrupt File Access

A new proof-of-concept tool called GhostLock demonstrates how attackers can abuse the Windows 'CreateFileW' API to perform denial-of-service attacks by locking local and network files.

A new proof-of-concept tool called GhostLock has been released, demonstrating how attackers can leverage a legitimate Windows API to perform denial-of-service attacks against local and network-stored files. By abusing the CreateFileW function, the tool allows unauthorized users to lock files, rendering them inaccessible to other applications and users across an organization's infrastructure BleepingComputer.

The technical mechanism behind GhostLock centers on the dwShareMode parameter within the CreateFileW() API. When an attacker sets this parameter to 0, Windows grants the calling process exclusive access to the targeted file. Consequently, any subsequent attempt by other users or applications to open that file results in a STATUS_SHARING_VIOLATION error BleepingComputer.

The tool, developed by Kim Dvash of Israel Aerospace Industries, automates this process by recursively opening a vast number of files on SMB network shares. Because the attack requires no elevated privileges, it can be executed by any standard domain user. The disruption can be further amplified if an attacker coordinates the attack across multiple compromised devices, continuously reacquiring file handles to maintain the lock state BleepingComputer.

While the technique effectively halts access to files, it is not destructive in the manner of ransomware. Dvash notes that the attack is primarily a disruption-based denial-of-service tool. Access to the files is automatically restored once the SMB session is terminated, the malicious processes are killed, or the affected system is rebooted BleepingComputer.

The primary danger of GhostLock lies in its potential use as a decoy or distraction. By triggering widespread file-access issues, an attacker can overwhelm IT staff with support requests, creating a window of opportunity to conduct data theft or lateral movement elsewhere in the network. Furthermore, because the attack relies on legitimate file open requests rather than mass encryption or file writes, it often evades traditional EDR telemetry and behavioral detection systems BleepingComputer.

Defending against this technique is challenging because the activity does not typically appear in standard Windows event logs or network flow data. Dvash suggests that the most reliable detection method is monitoring the per-session open-file count with ShareAccess = 0 directly at the file server layer. To assist defenders, the researcher has provided SIEM queries and an NDR detection rule template within the GhostLock whitepaper BleepingComputer.

This development highlights a persistent gap in security monitoring, where legitimate API usage can be weaponized to cause significant operational downtime. As security teams increasingly focus on detecting malicious encryption patterns, techniques like GhostLock underscore the need for visibility into storage-level access metrics to identify anomalous file-locking behavior.

Synthesized by Vypr AI
GhostLock Tool Abuses Windows API to Disrupt File Access · VYPR