A security researcher has released a proof-of-concept tool named GhostLock that demonstrates how a legitimate Windows file API can be abused to block access to files stored locally or on SMB network shares 1. The technique, created by Kim Dvash of Israel Aerospace Industries, exploits the Windows CreateFileW API and file-sharing modes to prevent other users and applications from opening files while handles remain active 1.

GhostLock abuses the dwShareMode parameter in the CreateFileW() function, which controls what access other processes have to an open file 1. When a file is opened with dwShareMode = 0, Windows grants the process exclusive access, preventing other users or applications from opening it 1.

The researcher has published the GhostLock tool on GitHub, which automates the attack by recursively opening large numbers of files on SMB shares 1. Standard domain users can run it without elevated privileges 1.

File access is restored once the associated SMB session terminates, the GhostLock processes are killed, or the affected system reboots—Windows automatically closes the handles 1. Dvash told Bleeping Computer that the technique should be viewed primarily as a disruption attack rather than a destructive one 1.

"Yes, the impact is disruption-based, not destructive. The parallel to ransomware is the operational downtime window, not data loss," Dvash told Bleeping Computer 1.

This attack resembles a denial-of-service technique. Attackers could use widespread file-access disruptions to overwhelm IT staff while conducting data theft, lateral movement, or other malicious activity elsewhere in the environment 1.

Many security products and behavioural detection systems focus on mass file writes or encryption operations 1. GhostLock primarily generates legitimate file open requests in volume, making detection less likely 1.

"The only observable that reliably identifies this attack is the per-session open-file count with ShareAccess = 0 at the file server layer—a metric that lives inside storage platform management interfaces, not in Windows event logs, not in EDR telemetry, not in network flow data," Dvash explained 1.

How this was made. This article was assembled by Startupniti's editorial AI from the source listed in the right rail. The synthesis ran through our 4-model cascade (Gemini Flash Lite → GPT-4o-mini → DeepSeek → Llama 3.3 70B), logged to ops.llm_calls. Every fact traces to a citation. If a fact looks wrong, write to corrections.