Threat Intelligence

New GhostLock tool abuses Windows API to block file access

A security researcher has developed a proof-of-concept tool called GhostLock that exploits a legitimate Windows file API to prevent access to local and network-shared files. This technique, demonstrated by Kim Dvash, leverages the CreateFileW API to lock files, causing disruption for other users and applications, according to Bleeping Computer.

The GhostLock tool abuses the dwShareMode parameter within the Windows CreateFileW API. By setting this parameter to zero, a process can gain exclusive access to a file, blocking any other attempts to open it. This results in a "STATUS_SHARING_VIOLATION" error for other users or applications. The researcher has made a tool available on GitHub that automates this by recursively opening numerous files on SMB shares. Standard domain users can execute this tool without elevated privileges. While not a destructive attack like ransomware, GhostLock can cause significant operational downtime. It could also serve as a diversion tactic during cyber intrusions, overwhelming IT staff while attackers pursue other malicious activities such as data theft or lateral movement.

Many security products are not designed to detect this method, as it involves legitimate file open requests rather than mass encryption or writes. Detection relies on monitoring per-session open-file counts at the file server layer, a metric not typically found in standard Windows event logs or EDR telemetry.

Source: Bleeping Computer

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds