Hackers Can Exploit Windows CreateFileW API to Lock Thousands of SMB Files

The multi-billion-dollar ransomware defense industry operates on one fundamental assumption: to cause catastrophic operational damage, malicious actors must write corrupted or encrypted data to a disk.

However, a newly disclosed attack technique named GhostLock completely shatters this foundational premise.

This technique demonstrates exactly how threat actors can paralyze entire enterprise file systems without encrypting a single byte of data.

Published in May 2026 by security researcher Kim Dvash, the open-source proof-of–concept reveals a devastating new threat.

It shows how a standard, low-privileged domain user account typically acquired through routine phishing campaigns can lock hundreds of thousands of files on an enterprise network attached storage (NAS) system.

By executing this attack, threat actors can instantly trigger extensive sharing violations across crucial enterprise resource planning (ERP) systems and shared business workflows, leaving absolutely no traditional forensic signature behind.

Technical Breakdown of the Encryptionless Attack

The core mechanism driving the GhostLock intrusion is not an obscure zero-day vulnerability.

Instead, it relies on the clever exploitation of a fully documented Windows operating system function known as the CreateFileW API.

When a network client calls this specific application programming interface and explicitly sets the sharing mode parameter to 0, the system’s input and output manager grants an exclusive “deny-share” handle.

Under the Server Message Block (SMB) protocol specification, the receiving server must strictly enforce this share contract.

This ensures that no other process or user can read, write, or delete the target file until the malicious actor voluntarily closes the handle.

At the kernel level, the file system driver enforces these strict sharing semantics entirely in memory, offering no possible user-mode bypass.

The GhostLock tool leverages this standard behavior at an enterprise scale by utilizing a highly optimized, multithreaded parallel discovery architecture.

By scanning directories and requesting these read-only exclusive handles simultaneously, the automated script can locate and lock half a million files on a corporate network share in less than three minutes.

Because this technique fundamentally alters the traditional anatomy of a network lockout attack, it successfully bypasses almost every layer of a modern cybersecurity defense architecture.

Security honeypots and canary files are rendered entirely useless because the attack generates exactly zero write, rename, or delete events on the compromised storage volume, as reported by Andrea Fortuna.

Furthermore, behavioral artificial intelligence models and write-rate anomaly detectors fail to trigger alerts.

The network traffic profile is virtually indistinguishable from a benign enterprise search indexer or a routine backup application opening documents.

At the endpoint detection and response (EDR) level, the system calls appear identical to a standard employee rapidly opening office documents.

Data loss prevention (DLP) tools also remain completely silent since the attacker opens the files without actively exfiltrating their contents.

Strategic Detection and Incident Recovery

Because restricting the underlying API would catastrophically break legitimate software operations, security operations centers cannot simply block the function.

Instead, defense teams must pivot strictly to specialized telemetry-based detection strategies.

The single reliable indicator of a GhostLock attack resides within the storage management session table, which actively tracks the number of simultaneous exclusive handles held by each user.

Security teams should ingest this specific storage telemetry directly into their centralized logging platforms and configure critical alerts for any single session that exceeds 500 exclusive handles.

From an incident response perspective, standard forensic investigations will show no modified timestamps or new files, which can easily lead analysts down the wrong path.

Most importantly, simply revoking the compromised Active Directory credentials is insufficient. The pre-authenticated network session will aggressively maintain its file locks until the connection naturally times out.

To effectively contain the threat, organizations must update their incident response runbooks immediately.

Security teams must coordinate directly with storage administrators to forcefully terminate the offending network session at the storage infrastructure layer.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Hackers Can Exploit Windows CreateFileW API to Lock Thousands of SMB Files appeared first on Cyber Security News.