Windows CreateFileW API Flaw Could Let Attackers Lock SMB Files at Scale

Overview

A newly disclosed attack technique known as GhostLock is raising concerns across the cyber security community after researchers demonstrated how attackers could effectively shut down enterprise file-sharing environments without deploying ransomware or deleting data.

The technique abuses legitimate Windows file-sharing behaviour through the CreateFileW API, allowing attackers with only a low-privileged domain account to lock massive numbers of files stored on SMB-accessible network shares.

Unlike traditional ransomware attacks, GhostLock does not encrypt files, rename documents, or generate obvious malware activity. Instead, it quietly abuses native Windows functionality to deny users access to critical business data and shared systems.

Researchers claim the technique can lock up to 500,000 files in under three minutes, potentially disrupting ERP systems, shared drives, document repositories, and operational workflows at enterprise scale.

Because the attack closely resembles legitimate file access activity, many existing security tools may struggle to detect it.

What is GhostLock?

GhostLock is an “encryptionless” denial-of-access attack that abuses the way Windows and SMB file sharing handle file locks.

In simple terms, the attacker opens files in a way that tells Windows:

“Nobody else is allowed to access this file while I’m using it.”

Normally, this functionality exists to prevent users or applications from corrupting files by editing them simultaneously.

GhostLock weaponises this legitimate feature at scale.

By rapidly opening hundreds of thousands of files with exclusive access permissions, attackers can effectively make shared storage environments unusable for legitimate users.

Importantly:

Files are not encrypted
Data is not deleted
No ransomware payload is required

But the operational impact can still be severe.

How the Attack Worked

The attack abuses the Windows CreateFileW API using a specific parameter:

dwShareMode = 0

This forces Windows to apply an exclusive file lock, preventing other users or systems from:

Reading the file
Writing to the file
Deleting the file
Accessing the locked resource

Under SMB protocol rules, the file server must honour the lock until the originating session ends.

The GhostLock proof-of-concept reportedly uses highly parallelised scanning and multithreading to lock files extremely quickly across enterprise environments.

Researchers claim approximately 500,000 files can be locked in less than three minutes using only a standard authenticated domain account.

Why This Matters

This attack is particularly concerning because it bypasses many of the controls organisations rely on to detect ransomware and destructive activity.

Traditional ransomware detection tools look for signs such as:

File encryption
File renaming
Entropy spikes
Mass file modifications
Suspicious binaries

GhostLock generates none of these indicators.

Instead, the activity often appears similar to:

legitimate file indexing,
backup operations,
or routine user access.

This significantly reduces visibility for:

EDR platforms
behavioural AI tooling
DLP solutions
canary file systems
traditional ransomware monitoring

In many environments, the first sign of compromise may simply be:

“Users can no longer access files.”

Operational Impact

Although no files are destroyed, the disruption potential is substantial.

Attackers could potentially:

Lock shared corporate drives
Disrupt ERP platforms
Block access to operational documents
Interrupt manufacturing or finance workflows
Prevent teams from accessing business-critical data

For organisations heavily reliant on shared SMB storage, the effect could mirror a ransomware incident without the attacker ever deploying encryption malware.

Why Incident Response Becomes Difficult

GhostLock also introduces significant forensic and incident response challenges.

Because the attack uses legitimate Windows functionality:

No malware binaries may exist
No suspicious file changes occur
No encryption artefacts are created
No modified timestamps may appear

In addition, simply disabling the compromised user account may not immediately release the file locks.

The SMB session can continue maintaining the locks until:

the session times out,
the connection is forcefully terminated,
or the attacker voluntarily closes the handles.

This complicates both containment and recovery efforts.

What Security Teams Should Monitor

Researchers recommend focusing heavily on SMB and storage telemetry rather than traditional endpoint-only visibility.

SOC teams should monitor for:

Suspicious SMB Activity

Excessive SMB handle creation
Large-scale rapid file-open activity
Sudden spikes in file-sharing violations
High-volume read-only access patterns

Exclusive File Locks

One of the strongest indicators is unusually high volumes of exclusive file handles linked to a single SMB session or user account.

Researchers suggest alerting on more than 500 simultaneous exclusive file handles per session.

User Behaviour Anomalies

Low-privileged accounts accessing unusually large numbers of files
Abnormal access velocity across network shares
Unusual SMB activity outside normal working patterns

Recommended Actions

Immediate Actions

Organisations should:

Ingest SMB session telemetry into SIEM platforms
Baseline normal file-lock behaviour across the business
Configure alerts for excessive exclusive file-handle activity
Review least-privilege access to critical network shares
Audit dormant or stale domain accounts with SMB access

Incident Response Preparation

Security and infrastructure teams should:

Validate the ability to forcibly terminate SMB sessions
Update incident response playbooks for “lock-only” attack scenarios
Coordinate closely with storage administrators during containment

Longer-Term Measures

Organisations should consider:

Improving NAS and SMB telemetry visibility
Enhancing UEBA coverage for file-access anomalies
Segmenting critical storage environments
Conducting tabletop exercises for denial-of-access attacks

Analyst Assessment

GhostLock represents a high-impact operational disruption technique capable of bypassing many current ransomware-focused detection strategies.

Its reliance on legitimate Windows API behaviour and native SMB protocol enforcement makes preventative blocking difficult without affecting normal enterprise workflows.

The technique’s low complexity, minimal forensic footprint, and high disruption potential make it likely to see rapid adoption among threat actors seeking ransomware-style impact without deploying encryption malware.

For defenders, the key challenge will be shifting away from purely file-modification-based detection models towards behavioural monitoring of SMB session activity, file-handle telemetry, and abnormal access behaviour.

How NormCyber MDR Helps Detect Low-Visibility Attacks

Techniques like GhostLock demonstrate why organisations need visibility beyond traditional ransomware indicators. NormCyber’s Managed Detection and Response (MDR) service provides continuous monitoring across endpoints, identities, network activity, and critical infrastructure telemetry to help detect stealthy attacks that may bypass conventional security controls.

By correlating abnormal SMB session behaviour, unusual file-access velocity, excessive exclusive file locks, and suspicious account activity, our SOC analysts can identify early signs of operational disruption before widespread business impact occurs. NormCyber MDR also supports rapid containment by helping organisations isolate compromised sessions, investigate abnormal access patterns, and reduce downtime during high-impact incidents. As attackers increasingly abuse legitimate Windows functionality to evade detection, advanced behavioural monitoring and expert-led threat hunting are becoming critical components of modern cyber defence.