GhostLock and the limits of threat hype: A closer look

## Executive summary This analysis reviews GhostLock, a Python PoC that automates exclusive SMB file-handle acquisition via CreateFileW to cause temporary file-share denial-of-service. The author concludes the technique is not a vulnerability or ransomware (locks release when sessions end), is detectable with existing telemetry if appropriate rules are written, and highlights operational gaps—especially absent per-session exclusive-handle metrics in SIEMs—and recommends straightforward mitigations (detection rules, least-privilege, allowlisting, and improved SecOps/StorageOps coordination).