The GhostLock Paradigm: How Encryptionless File Locking Bypasses Modern Ransomware Defenses
For years, the multi-billion-dollar ransomware defense industry has been built upon a single, foundational assumption: to inflict catastrophic operational damage, a malicious actor must write corrupted or encrypted data to a disk. From CISA’s ransomware guidelines to the most advanced EDR solutions, the industry has optimized for detecting high-entropy writes, file renames, and mass deletions.
However, a newly disclosed attack technique known as GhostLock completely invalidates this premise. It demonstrates a method by which threat actors can paralyze entire enterprise file systems without encrypting a single bit of data.
Published in May 2026 by security researcher Kim Dvash, the open-source proof-of-concept reveals a chilling reality: a standard, low-privileged domain user account—the kind typically harvested through routine phishing—can effectively “freeze” hundreds of thousands of files on a Network Attached Storage (NAS) system.
By triggering widespread sharing violations across critical Enterprise Resource Planning (ERP) systems and shared workflows, attackers can induce total operational paralysis while leaving no traditional forensic signature in their wake.
The Mechanics: Exploiting Native Windows Semantics
The brilliance—and danger—of the GhostLock intrusion lies in its simplicity. It does not rely on an obscure zero-day vulnerability or sophisticated shellcode. Instead, it performs a “living-off-the-land” exploitation of a fully documented Windows operating system function: the CreateFileW API.
When a network client invokes this API and explicitly sets the dwShareMode parameter to 0, the system’s I/O manager interprets this as a request for absolute exclusivity. The operating system grants a “deny-share” handle, ensuring that no other process, user, or service can read, write, or delete the target file until that specific handle is closed.

Under the Server Message Block (SMB) protocol, the receiving server must strictly enforce this share contract. At the kernel level, the file system driver manages these strict sharing semantics entirely in memory; there is no user-mode bypass for a properly configured server. GhostLock leverages this behavior using a highly optimized, multithreaded parallel discovery architecture. By scanning directories and requesting these read-only exclusive handles simultaneously, the script can lock upwards of half a million files on a corporate share in under three minutes.
Because this technique bypasses the “write-heavy” signature of traditional ransomware, it slips through almost every modern defensive layer:
- Honeypots & Canary Files: These tools rely on detecting
Write,Rename, orDeleteevents. As noted by security researcher Andrea Fortuna, GhostLock generates zero file modifications, making canary files entirely blind to the intrusion. - Behavioral AI & Anomaly Detection: Most detectors look for sudden spikes in data entropy or massive write rates. GhostLock’s network profile mimics a benign enterprise search indexer or a backup application opening files in rapid succession.
- Endpoint Detection and Response (EDR): The system calls appear as legitimate user activity. There is no suspicious shellcode injection or memory corruption to trigger an alert.
- Data Loss Prevention (DLP): Since the attacker is merely “holding” the files rather than exfiltrating them, network traffic remains well below the thresholds required to trigger DLP alerts.
Strategic Defense: Detection and Incident Response
Since disabling the CreateFileW API with a 0 share mode would break legitimate enterprise software, security teams cannot rely on “blocking” the behavior. Instead, the focus must shift toward specialized telemetry-based detection.
The primary indicator of a GhostLock attack is found within the storage management session table. This table tracks the number of concurrent exclusive handles held by individual user sessions. Security Operations Centers (SOCs) should ingest storage-level telemetry into their SIEM and implement high-fidelity alerts for any single session that holds an anomalous number of exclusive handles (e.g., exceeding a threshold of 500).
Incident Response Considerations:
Traditional forensic workflows may struggle here. Analysts looking for modified timestamps or new “ransom note” files will find nothing, potentially leading to a misdiagnosis of a “system glitch” rather than a breach.
Crucially, simply revoking the compromised Active Directory credentials is insufficient. Because the network session is already authenticated, the SMB session will aggressively maintain its file locks until the connection naturally times out or is severed.
To effectively contain a GhostLock event, incident response runbooks must be updated to include direct coordination with storage administrators to forcefully terminate the offending network session at the storage infrastructure layer.