GhostLock PoC: Legitimate Windows File API Abused to Block Local and SMB File Access

A security researcher published GhostLock, a proof-of-concept tool demonstrating abuse of a legitimate Windows file-locking API to prevent access to files stored locally or on SMB network shares — without requiring elevated privileges or exploiting a vulnerability in the traditional sense.

The technique could be incorporated into ransomware or destructive attack tooling to render files inaccessible without encryption, or used as a denial-of-service primitive against file servers. Defenders should note that GhostLock-style abuse may not trigger traditional ransomware behavioral detections since no file modification or encryption occurs. Monitoring for abnormal file handle acquisitions and SMB locking patterns is the relevant detection angle.