Windows GhostLock flaw locks files without ransomware signs

Attackers can now lock files on Windows SMB shares using a new 'GhostLock' method. This exploit is harder to detect than normal ransomware because it doesn't leave typical signs like file changes.
By Newsroom | Technology, Cybersecurity |

A recently identified vulnerability within the Windows CreateFileW API allows attackers to effectively lock a vast number of files on SMB shares. This exploit bypasses standard security measures, presenting as legitimate file access and eluding typical ransomware detection methods. The technique, dubbed "GhostLock" by researchers, achieves a ransomware-like impact by manipulating file sharing semantics at the kernel level, without making any overt write operations or detectable system anomalies.

The core of the vulnerability lies in how the Windows operating system handles file sharing requests. When a client uses the CreateFileW API and specifies a sharing mode of 0, the system grants an "exclusive deny-share handle." This grants the calling process exclusive access to the file, effectively locking it for other users. From an endpoint detection and response (EDR) perspective, these actions appear identical to normal user activity, such as opening documents, thus failing to trigger alerts related to shellcode injections or memory irregularities. Data loss prevention (DLP) tools also remain inactive as the attacker isn't exfiltrating data, keeping network traffic below alerting thresholds.

Read More: AI in Indian Films: Raanjhanaa Re-release Sparks Debate

Hackers Can Exploit Windows CreateFileW API to Lock Thousands of SMB Files - 1

The 'GhostLock' Mechanism and Its Evasion Tactics

The "GhostLock" exploit operates with remarkable subtlety. Unlike conventional ransomware, it does not involve:

  • Shellcode injection

  • DLL sideloading

  • Code hollowing

Crucially, the exploit makes zero write operations on the target share. This means file integrity monitoring systems, which typically look for modifications, additions, or deletions, remain silent. Timestamps on file content are unaltered, and no operations like WRITE, SET_INFO, or RENAME are recorded. The entire impact is achieved through the manipulation of file handles, creating a state of inaccessibility without leaving traditional forensic breadcrumbs.

Hackers Can Exploit Windows CreateFileW API to Lock Thousands of SMB Files - 2

Implications for Incident Response and Defense

The implications of this vulnerability, highlighted by multiple security analyses including those from Gbhackers and Andrea Fortuna's blog, are significant for security teams. Traditional ransomware defenses, which are predicated on detecting write operations or malicious code execution, are rendered ineffective.

The primary recommendation for immediate containment involves updating incident response playbooks. These updated procedures should mandate direct coordination with storage administrators to forcefully terminate the offending network sessions at the storage infrastructure layer. This manual intervention is currently the most viable method to unlock affected files.

Read More: 2026 World Cup Ticket Scams Target Fans with Fake Websites

Hackers Can Exploit Windows CreateFileW API to Lock Thousands of SMB Files - 3

Broader Context of SMB Vulnerabilities

This new class of vulnerability, termed "False File Immutability" by Elastic Security Labs, emerges within a landscape already fraught with Windows Server Message Block (SMB) protocol exploits. For years, SMB has been a target for attackers, leading to the exploitation of various flaws like EternalBlue (MS17-010), SMBGhost, and others.

These historical exploits have often focused on remote code execution (RCE) or privilege escalation. For example:

Hackers Can Exploit Windows CreateFileW API to Lock Thousands of SMB Files - 4

  • 'EternalBlue' vulnerabilities, such as MS17-010, have historically allowed for unauthenticated remote code execution by sending specially crafted packets to vulnerable SMBv3 servers.

  • More recent exploits, like CVE-2025-33073 detailed on Exploit-DB, demonstrate complex attack chains involving DNS injection, NTLM relay, and RPC coercion to achieve privilege escalation and RCE in Windows 11 and other versions.

  • Other SMB flaws have enabled attackers to gain SYSTEM privileges, as noted by Cybersecurity and CISA, by tricking victim machines into connecting to malicious SMB servers.

The Common Log Filesystem (CLFS) has also seen security mitigations proposed by Microsoft, suggesting ongoing efforts to harden the Windows file system components. However, the CreateFileW API vulnerability appears to exploit a fundamental aspect of file sharing rather than a specific buffer overflow or protocol anomaly.

The persistence of SMB-related vulnerabilities underscores the importance of diligent patching and network segmentation. Microsoft continuously releases updates addressing these issues, often urging users to apply patches via Windows Update, WSUS, or the Microsoft Update Catalog. The ongoing exploitation of SMB flaws, as evidenced by their inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog, necessitates a proactive security posture.

Read More: Filmmaker Anand Pandit: AI Should Help, Not Replace, Human Emotion

Frequently Asked Questions

Q: What is the new Windows 'GhostLock' flaw?
A new flaw in Windows lets attackers lock many files on shared drives (SMB shares). It works like ransomware but is hard to detect because it doesn't leave normal signs of an attack.
Q: How does the 'GhostLock' flaw work?
The flaw uses a Windows command called 'CreateFileW' to get exclusive access to files. This locks them for others. Security tools see this as normal file use, not an attack.
Q: Why is 'GhostLock' different from normal ransomware?
Unlike regular ransomware, 'GhostLock' does not change or delete files. It also doesn't use common attack methods like injecting code. This means security programs that look for file changes or code might miss it.
Q: How can companies fix the 'GhostLock' problem?
Companies need to update their security plans. They should work directly with storage managers to stop the network connections causing the file locks. This manual step is the best way to unlock files right now.
Q: Is this the first time SMB has had security problems?
No, the Windows Server Message Block (SMB) system has had many security issues before. Past problems like 'EternalBlue' have allowed attackers to take control of computers. This new 'GhostLock' flaw adds to the ongoing risks with SMB.