A newly discovered extortion tool called GhostLock can render half a million files completely inaccessible in under three minutes — without encrypting a single byte. Security researchers found the tool actively advertised on cybercrime forums, and its design exploits a fundamental gap between how endpoint detection tools identify threats and how the Windows operating system manages file access.
GhostLock’s Abuse of the Windows CreateFileW API
GhostLock achieves its effect by calling the legitimate Windows CreateFileW API with exclusive access flags. When a process holds an exclusive lock on a file handle, no other process — user, service, or backup agent — can open that file. The data remains intact on disk, but it is functionally unreachable for the duration of the lock.
In testing, the tool locked 500,000 SMB-shared files in approximately 2 minutes and 37 seconds. Because file locking is a native, documented operating system feature, the operation generates no malicious-looking API calls. Endpoint detection and response platforms observe behavior consistent with any legitimate file-intensive application and raise no alert.
Why EDR Solutions Cannot Flag Routine File-Locking Operations
The core detection problem is that CreateFileW with exclusive access flags is called thousands of times per second across normal Windows environments — by antivirus scanners, backup agents, document editors, and database engines. EDR products rely on behavioral heuristics, process reputation, and signature matching. GhostLock’s lock operations produce no encryption artifacts, no ransom note writes, no shadow copy deletions, and no registry modifications — the standard indicators that ransomware detections are tuned to catch.
Researchers note that even if a defender terminates the GhostLock process, Windows releases all file handles immediately and files become accessible again. This creates an operational dynamic where an attacker can lock files repeatedly from a persistent foothold, forcing the victim into a negotiation rather than a recovery effort. No encrypted artifacts exist for forensic reconstruction, and no decryption key needs to be purchased — the attacker simply holds the handle open.
Impact on SMB Environments and Incident Response Playbooks
The extortion model GhostLock enables is distinct from conventional ransomware in ways that matter to insurers and incident responders. Most cyber insurance policies and IR playbooks are structured around the assumption that ransomware attacks involve encryption and key-based recovery. GhostLock’s lock-without-encrypt approach means there is no decryption key to negotiate for, no encrypted file signature to identify, and no standard forensic timeline of file modification events.
Organizations with SMB-heavy environments — shared network drives, file servers, NAS devices — face the greatest direct exposure. A single GhostLock instance targeting a file server can render entire departments non-operational with no warning from security tooling.
Researchers also warn of a likely hybrid use case: ransomware operators could deploy GhostLock as a fast-lock phase before their primary encryption payload executes. Locking files first would immediately halt business operations and backup processes, then encryption could proceed at a slower pace under reduced defensive pressure. The combination would increase operational impact while reducing the window defenders have to respond before data is irretrievably affected.
Defensive Posture Against File-Locking Extortion
No CVE has been assigned to GhostLock because no software vulnerability is exploited — the tool uses the Windows API as designed. Defenders cannot patch their way out of this exposure.
Mitigations focus on limiting what a GhostLock process can reach. Network segmentation that restricts which hosts can access SMB shares reduces the blast radius of any single compromised endpoint. Privileged Access Workstations and least-privilege file share permissions limit the number of files a compromised user account can lock. Monitoring for processes that open an anomalously high number of file handles in a short time window — a behavioral pattern that legitimate applications rarely exhibit at GhostLock’s scale — offers a detection angle that does not depend on encryption indicators.
Backup strategies that pull copies outside the SMB environment (cloud-synced or network-isolated) ensure that even a full file-lock event does not result in permanent data loss, though operational disruption during the lock period remains unavoidable.
The forum advertisement of GhostLock suggests the tool is moving toward broader criminal availability. Whether it is adopted as a standalone extortion primitive or integrated into existing ransomware-as-a-service workflows, its emergence marks a category shift: extortion that causes full operational impact without the forensic footprint defenders have spent years learning to detect.
