New GhostLock tool abuses Windows API to block file access

A new proof-of-concept tool called GhostLock exposes a technique for abusing legitimate Windows file APIs to lock files and prevent access to local storage and SMB network shares. Security researcher released the tool to demonstrate how attackers could weaponize standard Windows functionality for denial-of-access attacks.

GhostLock leverages Windows API calls that applications use legitimately for file operations. By exploiting these APIs, an attacker can lock files in ways that bypass traditional file permissions and security controls. The attack works against both local files and those stored on SMB network shares, which are common in enterprise environments.

The tool demonstrates a class of attack that does not require exploiting a vulnerability or deploying malware with obvious signatures. Instead, it abuses functionality that Windows itself provides, making detection harder for security tools that whitelist legitimate processes. Organisations running file servers and network storage that expose SMB shares face the most immediate risk.

Victims of such an attack would lose access to critical files without necessarily detecting a breach. This differs from ransomware, which typically encrypts data and demands payment. GhostLock-style attacks simply block access, creating a denial-of-service condition against stored data. Recovery requires either removing the lock programmatically or restoring from backups.

For organisations, the risk centres on unpatched systems and insufficient network segmentation. If an attacker gains local execution rights on a machine or authenticated access to network shares, they can deploy GhostLock-like techniques. Defence requires monitoring for unusual file-locking activity, restricting SMB share access through network segmentation, and maintaining offline backups.

The proof-of-concept release serves as a wake-up call for defenders to audit their file access controls and monitor for abuse of legitimate APIs. IT teams should review which systems have SMB access, who can modify files, and what logging exists