GhostLock: The No-Encryption “Ransomware” That Can Paralyze Windows File Servers in Minutes

A security researcher has demonstrated an unconventional method to paralyze Windows file servers without resorting to data encryption or malicious drivers. This exploit relies solely on the native CreateFileW function—a fundamental utility employed daily by ubiquitous applications such as Microsoft Word.

This nascent technique, christened GhostLock, was pioneered by Kim Dvash of Israel Aerospace Industries. The methodology exploits a standard Windows mechanism governing file access; by opening a file in a so-called exclusive mode, the operating system summarily prohibits access to all other users and applications until the connection is severed.

The attack is efficacious against both local file systems and SMB network shares. An adversary can execute GhostLock under the guise of an ordinary domain user without elevated privileges. The tool recursively traverses directories, systematically opening files in exclusive access mode. Once these assets are seized, any subsequent attempt to access the documents results in a STATUS_SHARING_VIOLATION error.

According to the architect of GhostLock, the mechanism functions less like conventional ransomware and more like a Denial-of-Service (DoS) assault. While the data remains unencrypted and intact, the enterprise effectively loses dominion over its operational files. Business applications falter, resource management systems grind to a halt, and employees are rendered unable to access critical documentation.

The researcher notes that Windows maintains locking information exclusively within the kernel memory, leaving the physical disk untainted. Upon the termination of the SMB session, a system reboot, or the cessation of the process, access to the files is automatically restored.

GhostLock poses a particularly grave threat to expansive networks. Utilizing 32 concurrent threads, the tool is capable of sequestering hundreds of thousands of files in under ten minutes. Its creator asserts that on a 10 GbE network, an assault on a repository containing 500,000 files completes with greater celerity than many ransomware strains, yet without the telltale signatures of mass data modification or encryption.

A further complication arises from the attack’s inherent stealth. Most defensive systems are calibrated to detect anomalies such as mass file renaming or a surge in data entropy; however, GhostLock merely issues legitimate file-opening requests. From a network traffic perspective, the activity mirrors the benign operations of standard office software.

Kim Dvash warns that malicious actors may employ GhostLock as a diversionary tactic during a breach. While the IT department is preoccupied with resolving file unavailability, attackers can proceed to exfiltrate data or navigate laterally through the network.

The project’s author has published GhostLock on GitHub, accompanied by a detailed methodology, traffic analysis detection rules, and SIEM queries. The specialist maintains that the only reliable way to identify such an attack is by monitoring for an exorbitant volume of files opened with ShareAccess = 0 on the file server—a metric that most corporate monitoring systems currently neglect to collect.