**Kim Dvash** of **Israel Aerospace Industries** has developed a technique, dubbed **GhostLock**, that abuses the Windows `CreateFileW` API and file-sharing modes to prevent other users and applications from opening files. This is achieved while file handles remain active, effectively locking other users out. ### The GhostLock Technique The **GhostLock** technique exploits the `dwShareMode` parameter within the `CreateFileW()` function. This parameter dictates the type of access other processes have to a file while it is already opened by another process. Setting `dwShareMode` to `0` grants the initiating process exclusive access, preventing any other user or application from opening the file. Attempts to access the file will result in a `STATUS_SHARING_VIOLATION` error in Windows. For example: HANDLE hFile = CreateFileW( L"\\server\share\finance.xlsx", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL );  ### GhostLock Tool **Dvash** has published the **GhostLock tool** on **GitHub**, which automates the attack by recursively opening a large number of files on SMB shares. As long as these file handles remain open, subsequent attempts to access the files will fail due to sharing violations. The tool operates with standard domain user privileges, requiring no elevated permissions. An attacker can amplify the disruption by launching the attack from multiple compromised devices simultaneously, continuously reacquiring file handles as processes are terminated. ### Mitigation and Impact Terminating the SMB session, killing the **GhostLock** processes, or rebooting the affected system will release the file handles and restore access to the files. **Dvash** emphasizes that this technique is primarily a disruption attack, akin to a denial-of-service, rather than a destructive attack like ransomware. The impact is on operational downtime, not data loss. While not destructive, this attack can be used as a decoy during intrusions. By creating widespread file-access disruptions, attackers can distract IT staff while conducting data theft, lateral movement, or other malicious activities elsewhere in the environment. ### Detection Challenges Many security products focus on detecting mass file writes or encryption. **GhostLock** generates legitimate file open requests, making it potentially harder to detect. According to **Dvash**, the most reliable indicator is the per-session open-file count with `ShareAccess = 0` at the file server layer. This metric resides within storage platform management interfaces, not typically in Windows event logs, EDR telemetry, or network flow data. **Dvash** has provided SIEM queries and an NDR detection rule in the [GhostLock whitepaper](https://zenodo.org/records/20070064) to aid IT teams in detection efforts.