Published May 7, 2026 | Version v1 Preprint Open GhostLock: SMB Deny-Share Handles as a Zero-Privilege Availability Weapon Authors/Creators Dvash, Kim (Annotator) 1 Show affiliations 1. Independent Security Researcher Description Traditional ransomware disrupts organizations by encrypting data and demanding payment for decryption keys. This paper presents a fundamentally different availability attack that achieves the same business disruption without writing a single encrypted byte to disk. By calling the Windows API CreateFileW with dwShareMode set to zero, a low-privileged domain user with standard read access to a corporate SMB file share can hold files in an exclusively locked state for an indefinite duration. The result is identical to ransomware from the victim's perspective: critical files become inaccessible, ERP and workflow systems fail, and recovery requires specialist intervention. The difference is what the attack does not produce. No writes. No renames. No new file extensions. No encryption overhead. No C2 infrastructure. Every behavioral ransomware defense in the modern enterprise stack is completely blind to it. The only reliable detection signal sits inside the file server itself, in a metric that virtually no enterprise SIEM currently ingests. No CVE. No patch. This is documented Windows behavior, working exactly as designed for 30 years. The GhostLock tool demonstrates this technique, developed and tested under explicit written authorization during an authorized red team engagement. Files ghostlock_whitepaper.pdf Files (54.3 kB) Name Size Download all ghostlock_whitepaper.pdf md5:c64df435515814f83cf09fd7b2463b32 54.3 kB Preview Download Additional details Software Repository URL https://github.com/kimd155/ghostlock Programming language Python Development Status Active