A security researcher has developed a proof-of-concept tool called GhostLock that exploits a legitimate Windows file API to prevent access to local and network-shared files. This technique, demonstrated by Kim Dvash, leverages the CreateFileW API to lock files, causing disruption for other users and applications, according to Bleeping Computer.The GhostLock tool abuses the dwShareMode parameter within the Windows CreateFileW API. By setting this parameter to zero, a process can gain exclusive access to a file, blocking any other attempts to open it. This results in a "STATUS_SHARING_VIOLATION" error for other users or applications. The researcher has made a tool available on GitHub that automates this by recursively opening numerous files on SMB shares. Standard domain users can execute this tool without elevated privileges. While not a destructive attack like ransomware, GhostLock can cause significant operational downtime. It could also serve as a diversion tactic during cyber intrusions, overwhelming IT staff while attackers pursue other malicious activities such as data theft or lateral movement.Many security products are not designed to detect this method, as it involves legitimate file open requests rather than mass encryption or writes. Detection relies on monitoring per-session open-file counts at the file server layer, a metric not typically found in standard Windows event logs or EDR telemetry.Source: Bleeping Computer
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




