GhostLock: The Fileless Ransomware That Paralyzes Your Enterprise Without Encrypting a Single Byte + Video

Listen to this Post

Featured Image

Introduction

The multi-billion-dollar ransomware defense industry operates on a fundamental assumption: to cause catastrophic operational damage, malicious actors must write corrupted data to disk. GhostLock, a newly disclosed attack technique discovered by Kim Dvash, an Offensive Security Team Leader at Israel Aerospace Industries, shatters this assumption entirely. By systematically holding files in an exclusively locked state, a low-privileged domain user with standard read access can paralyze corporate Server Message Block (SMB) file shares without writing a single encrypted byte to disk, forcing `STATUS_SHARING_VIOLATION` errors across the enterprise.

Learning Objectives

  • Understand how the Windows `CreateFileW` API with `dwShareMode = 0` can be weaponized to create ransomware-equivalent availability impact without encryption.
  • Learn to detect, mitigate, and hunt for GhostLock-style file-locking attacks across SMB environments using PowerShell, Python, and SIEM queries.
  • Master defensive strategies to lock down SMB shares, monitor exclusive file handles, and build joint SecOps-StorageOps response runbooks.

You Should Know

  1. GhostLock Core Exploit: How a Legitimate Windows API Becomes a Disruption Weapon

GhostLock implements its attack through a single Windows API call: `CreateFileW` with dwShareMode = 0x00000000. This operation acquires an exclusive “deny-share” handle on a target file, preventing every other client — including legitimate users, backup agents, and critical applications — from opening, reading, or writing to it until the handle is closed. From the victim’s perspective, the impact is indistinguishable from a ransomware infection: critical files become inaccessible, ERP applications crash, and shared workflow pipelines fail, requiring specialist intervention to restore operations.

What makes GhostLock exceptionally dangerous is its complete operational stealth. The attack produces zero writes, zero file renames, zero encryption overhead, and zero C2 infrastructure signals. The tool requires no administrative rights, no third-party Python packages, and can be executed by any authenticated domain user with read access to the target share.

Step-by-step guide to understanding the attack mechanism:

Step 1: Open a file with exclusive sharing mode.
The following C/C++ code demonstrates how an attacker obtains an exclusive handle:

HANDLE hFile = CreateFileW(
L"\\server\share\finance.xlsx", // UNC path to SMB share
GENERIC_READ, // Only read access needed
0, // dwShareMode = 0 (exclusive)
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);

Upon success, any other process attempting to open `finance.xlsx` receives STATUS_SHARING_VIOLATION (0xC0000043).

Step 2: Scale across the enterprise file share.

GhostLock employs a 32-thread parallel work-stealing scanner that parallelizes `SMB2 QUERY_DIRECTORY` round-trips, reducing file discovery on a 500,000-file share from over 61 minutes to approximately 6 minutes and 22 seconds. A single SMB session can hold up to 64,000 exclusive handles simultaneously; with ten parallel sessions, an attacker can exceed 500,000 locked handles — sufficient to paralyze a significant fraction of an entire enterprise NAS deployment.

Step 3: Test the attack in an isolated lab environment.

Using the official GhostLock tool from GitHub:

git clone https://github.com/kimd155/ghostlock.git
cd ghostlock
python ghostlock.py

Select interactive mode, paste a UNC path (e.g., \\fileserver\department_share), or enable auto-discovery to automatically enumerate writeable SMB shares on the network.

  1. Evasion Matrix: Why Your EDR, SIEM, and Honeypots Stay Completely Silent

GhostLock evades every conventional ransomware defense deployed in the modern enterprise security stack:

| Detection Signal | Encryption Ransomware | GhostLock |

||||

| Bulk write I/O | Detectable | None |
| File rename / new extension | Detectable | None |
| Honey file triggered | Write to canary | Read-open only |
| Behavioral AI (write rate) | Fires | No writes |
| EDR on endpoint | Shellcode / injection | Looks like file indexer |
| DLP / content inspection | Bulk read anomaly | Indistinguishable from backup |
| Network traffic anomaly | Bulk SMB writes | Identical to Word opening a doc |
| Storage session open-file count | Not relevant | Only reliable signal |

The only observable that reliably identifies this attack is the per-session exclusive-handle count inside the NAS management interface — a metric that lives in storage platform management interfaces, not in Windows event logs, not in EDR telemetry, not in network flow data.

Step-by-step guide to detection and hunting:

Step 1: Query the NAS/SAN session table.

Connect to your NAS vendor’s CLI or API (commands vary by vendor). For Windows Server File Server, launch PowerShell as Administrator and query open SMB sessions:

Get-SmbOpenFile | Where-Object {$_.ShareRelativePath -ne $null} | 
Group-Object ClientComputerName | 
Select-Object Name, Count |
Where-Object Count -gt 500 |
Sort-Object Count -Descending

For advanced monitoring, install the `SmbShare` module and export session metrics to a SIEM:

Install-WindowsFeature -Name FS-FileServer
Add-WindowsCapability -Name "Storage.SMB.OpenFileAudit"
Get-SmbOpenFile | Select-Object -Property ClientComputerName, `
ShareName, SessionId, FileId, ShareRelativePath |
Export-Csv -Path "C:\audit\smb_open_files.csv"

Step 2: Deploy SIEM correlation rules (Splunk/ELK).

The GhostLock whitepaper provides detection queries. Here is a sample Splunk search to identify anomalous SMB activity:

index=windows sourcetype="WinEventLog:Microsoft-Windows-SMBClient/Operational" 
| stats count by ClientComputerName, ShareName, User
| where count > 5000
| eval threat_score = if(count > 10000, "critical", "high")
| table ClientComputerName, User, ShareName, count, threat_score

Step 3: Configure network detection rules (Zeek/Suricata).

Monitor the network for SMB2 CREATE requests with exclusive-sharing flags and no subsequent write operations:

 Zeek signature to detect GhostLock-style traffic
signature GhostLock-Exclusive-SMB {
ip-proto == tcp
dst-port == 445
payload /CREATE.ShareAccess=0/
no payload /WRITE/
event "Potential GhostLock exclusive handle attack"
}
  1. Defensive Hardening: Blocking GhostLock SMB Sessions at Scale

Because GhostLock exploits documented Windows behavior that has existed since Windows NT 3.1, there is no CVE and no patch. Defenders must instead apply configuration hardening, privilege reduction, and active monitoring.

Step-by-step guide to hardening SMB shares:

Step 1: Restrict SMB share permissions and enable strict enumeration.
On the Windows file server, open PowerShell as Administrator and apply these settings:

 Disable SMB1 if not required (critical security measure)
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

Enable SMB signing to prevent tampering
Set-SmbServerConfiguration -RequireSecuritySignature $true

Enable strict name checking to prevent spoofing
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -Name "DisableStrictNameChecking" -Value 0

Set session timeout to aggressively close idle SMB sessions
Set-SmbServerConfiguration -SessionTimeout 900

Step 2: Use PowerShell to kill suspicious SMB sessions in real time.
Create an automated incident response script that terminates sessions holding excessive exclusive handles:

$threshold = 5000
$suspiciousSessions = Get-SmbOpenFile | Group-Object SessionId | Where-Object Count -gt $threshold

foreach ($session in $suspiciousSessions) {
$sessionId = $session.Name
$client = (Get-SmbOpenFile | Where-Object SessionId -eq $sessionId).ClientComputerName[bash]
Write-EventLog -LogName "Security" -Source "SMBDefender" -Message "Killing GhostLock session from $client (ID: $sessionId, handles: $($session.Count))" -EventId 5001

Terminate the SMB session
Get-SmbSession -SessionId $sessionId | Close-SmbSession -Force
}

Step 3: Enforce application control to block unauthorized Python execution.
Since GhostLock is a Python-based tool, use AppLocker or Windows Defender Application Control to restrict Python execution to authorized system directories only:

 Create AppLocker rule to block Python execution from user-writable paths
$policy = Get-AppLockerPolicy -Local
$rule = New-AppLockerRule -User Everyone -Path "%OSDRIVE%\Users\" -Action Deny -RuleType Exe
Set-AppLockerPolicy -Policy $policy -Merge
  1. Incident Response: Containing and Recovering from a GhostLock Attack

Unlike traditional ransomware, recovery from GhostLock does not require data restoration from backups — once the malicious SMB sessions are terminated, file access is restored immediately. However, attackers can reacquire handles continuously, creating a whack-a-mole scenario for defenders.

Step-by-step guide to incident response:

Step 1: Identify the compromised user account and source IP.
Query the Windows File Server for the offending SMB session:

 Find the session with the most open exclusive handles
$offendingSession = Get-SmbOpenFile | Group-Object SessionId | Sort-Object Count -Descending | Select-Object -First 1
$username = (Get-SmbSession -SessionId $offendingSession.Name).UserName
$clientIP = (Get-SmbSession -SessionId $offendingSession.Name).ClientComputerName

Write-Output "Compromised User: $username"
Write-Output "Source IP: $clientIP"

Step 2: Immediately terminate the malicious SMB session and disable the compromised account.
From an elevated PowerShell prompt on the file server:

 Force-close the offending session
$offendingSession | ForEach-Object { Close-SmbSession -SessionId $_.Name -Force }

Disable the compromised AD user account
Disable-ADAccount -Identity $username

Force a Group Policy update to propagate the disable
Invoke-GPUpdate -Target Computer -Force

Step 3: Establish a joint SecOps-StorageOps runbook.

Experts recommend organizations create joint response plans between security and storage teams, monitor abnormal SMB activity, and configure alerts for sessions holding unusually high numbers of locked files. Sample runbook automation:

 Linux-based SIEM query (using netcat to fetch SMB session metrics)
nc -zv fileserver 445
smbclient -L //fileserver -U '%' -N 2>&1 | tee -a /var/log/smb_audit.log

5. Attacker Amplification: Multi-Host Coordination and Persistent Disruption

An attacker can amplify the impact by launching GhostLock simultaneously from multiple compromised devices within the same network. Even if administrators terminate some sessions, other systems can immediately reopen the handles and continue the disruption.

Step-by-step guide to understanding attack amplification:

Step 1: Simulate multi-host attack in a lab environment.
Clone the GhostLock repository onto multiple test VMs and execute coordinated locking:

 On attacker workstation 1
python ghostlock.py \fileserver\share --hold-indefinite --recursive

On attacker workstation 2 (simultaneous)
python ghostlock.py \fileserver\share --hold-indefinite --recursive

Check total locked files across all sessions
Get-SmbOpenFile | Measure-Object

Step 2: Defend by enforcing per-user SMB session limits.
On the Windows File Server, use PowerShell to limit the number of concurrent SMB sessions per user:

 Set maximum sessions per user (default is unlimited)
Set-SmbServerConfiguration -MaxSessionsPerUser 50

Set maximum open files per session
Set-SmbServerConfiguration -MaxOpenFilesPerSession 10000

Verify configuration
Get-SmbServerConfiguration | Select MaxSessionsPerUser, MaxOpenFilesPerSession
  1. Windows and Linux Commands for SMB Share Auditing

Maintaining a proactive auditing regimen is the most effective long-term defense against SMB abuse.

From a Windows domain-joined machine (client perspective):

 List all SMB shares accessible by the current user
net view \fileserver

Map a drive to audit share contents silently
net use Z: \fileserver\share

Use Robocopy to log all readable files (simulates attacker discovery)
robocopy Z:\ C:\temp\audit /L /E /NJH /NJS /NP /NS > smb_inventory.txt

Unmap the drive
net use Z: /delete

From Linux (using smbclient and enum4linux):

 Install required tools
sudo apt update && sudo apt install smbclient enum4linux cifs-utils

Enumerate SMB shares on a target file server
enum4linux -S fileserver.corp.local

Attempt to list files on an unprotected share (read access only)
smbclient //fileserver/department_share -N -c "recurse; ls"

Mount SMB share locally for analysis
sudo mount -t cifs //fileserver/share /mnt/smb_audit -o username=testuser,password=testpass,ro

What Undercode Say

  • GhostLock is not a vulnerability; it is a feature gone rogue. The `CreateFileW` API has worked as designed for over 30 years. Defenders cannot patch their way out of this — they must rethink detection assumptions and integrate storage-layer telemetry into SOC workflows. This is a blueprint for a new class of “feature abuse” attacks that will increasingly target legitimate system behaviors.

  • The only reliable detection signal lives inside the storage array. Collecting and aggregating per-session exclusive-handle counts from NAS/SAN management APIs into a SIEM or SOAR platform is no longer optional — it is a critical security control. Organizations that lack this visibility are operationally blind to GhostLock-style attacks, and they will only discover the breach when ERP systems go offline and users start screaming.

GhostLock represents a paradigm shift in offensive operations: ransomware without ransom, encryption without crypto, and disruption without a single write to disk. For defenders, the path forward is not better antivirus signatures but architectural resilience — reducing SMB exposure, enforcing least-privilege access, and building detection pipelines that look at storage platforms as the first-class security citizens they have always been. The attackers have already read the manual; it is time for defenders to read it too.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Gurubaran Cybersecuritynews – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky