GhostLock is a newly disclosed attack technique that abuses the Windows CreateFileW API to lock enterprise files by requesting exclusive, deny‑share handles. Read this Cybersecurity Threat Advisory to learn how to limit your organization’s exposure to this attack.
What is the threat?
GhostLock targets Windows file systems and Network Attached Storage (NAS) over the SMB protocol. The technique abuses the Windows CreateFileW API by setting the sharing mode to zero, forcing exclusive deny‑share handles that block all other read and write access. Attackers scale the impact using multithreaded scripts that traverse directory trees rapidly, enabling a single user account to lock millions of files across an enterprise network without modifying any data.
Why is it noteworthy?
This threat is particularly severe because it can paralyze large network shares and Enterprise Resource Planning (ERP) systems within minutes. It evades traditional ransomware detection, as no encryption or file modification occurs. The attack exploits legitimate, by‑design operating system behavior that cannot be patched, forcing organizations to rely on storage‑level session monitoring and rapid SMB session termination.
GhostLock also remains invisible to most signature‑based Endpoint Detection and Response (EDR) and antivirus tools. Because it generates no encryption, exfiltration, or heavy write activity, defenders often cannot distinguish it from legitimate backup or indexing operations. This technique signals a shift toward policy‑abuse attacks that weaponize documented OS features rather than software flaws. Without a predefined response runbook, organizations can expect mean recovery times of four to eight hours.
What is the exposure or risk?
The primary exposure from this attack affects network shares and NAS‑attached storage that support ERP systems, shared workflows, and collaborative data. Beyond immediate downtime, GhostLock poses a serious risk to incident response by locking access to forensic logs and disrupting business continuity by preventing backup agents from reading source files. Any organization that uses SMB for collaborative file sharing faces risk, as a single compromised user account can initiate access denials across large portions—or all—of the storage environment.
What are the recommendations?
Barracuda recommends the following actions to limit the impact:
- Ingest and monitor storage management session state to detect anomalous behavior.
- Limit user permissions to only the specific network shares required for their role.
- Do not disable the CreateFileW API or attempt to block access to it. The Windows operating system and most applications depend on it for normal operation.
- Revise current runbooks to include denial-of-access scenarios, emphasizing cross-team collaboration.
- Protect backups from session locks and run regular recovery drills to ensure data availability during lockout events.
References
For more in-depth information about the recommendations, please visit the following links:
- https://cyberpress.org/hackers-can-exploit-windows-createfilew/
- https://cybersecuritynews.com/ghostlock-attack/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
