GhostLock CreateFileW share-mode file-locking technique
Technical Analysis
Summary
Hide ▲
Show ▼
GhostLock exposes a file-locking technique that abuses Windows CreateFileW to deny access to files on local systems and SMB shares. Because the method relies on legitimate exclusive opens, it can trigger STATUS_SHARING_VIOLATION errors while avoiding the write-and-encrypt signals many defenses watch for. The result is a disruption-focused tactic that can mask other malicious activity in an environment.
Timeline
-
12.05.2026 01:02 2 articles · 15d ago
GhostLock proof-of-concept release
Initial DisclosureKim Dvash of Israel Aerospace Industries released GhostLock, a proof-of-concept tool that uses Windows CreateFileW and dwShareMode = 0 to open files with exclusive access on local disks and SMB network shares, causing STATUS_SHARING_VIOLATION errors for other users and applications. The technique can be run by standard domain users without elevated privileges, is described as disruption-based rather than destructive, and is less visible to tools that focus on mass file writes or encryption; the most reliable observable is a per-session open-file count with ShareAccess = 0 at the file server layer.
Show sources
- New GhostLock tool abuses Windows API to block file access — www.bleepingcomputer.com — 12.05.2026 01:02
- New GhostLock tool abuses Windows API to block file access — www.bleepingcomputer.com — 12.05.2026 01:02