Now that i read this closely, it was only a matter of time before this behavior was weaponized. First, I am not saying Drake is Ghostlocker, I am pointing out how it’s default b3ehavior over the past couple of years accentuates this potential issue with how Windows SMB could easily be used to execute this attack.. Drake accounting is famous for this behavior in my experience over the years. Drake used to clean up it’s file handles when you closed the program…it no longer does this. You have to sign out of windows to clear the file handles on the server. Restarting the endpoint does not send the clear commands to the server…neither does shutting down. Only signing out of the machine then sends the file lock release command. Sometimes, I have to go into windows servers and manually reset all of the file locks to clear things up so Drake will operate properly. Ghostlock takes this behavior and makes it a very effective Denial Of Service attack. Folks would assume it’s ransomware..but nothing is written..it is simply telling windows I have the files, make them read only until i say otherwise…which windows dutifully does. The locks will stay active until the server is rebooted, the file handles are manually cleared, or the connection times out. Right now no SEIM, EDR/MDR/XDR detect this behavior as potentially problematic.
The problem is that simply monitoring for large amounts of reads is going to generate a ton of false positives. Rate limiting the file locks could cause performance issues as well. Because this is inherent in the way windows shares files, Linux and BSD NAS/DAS devices can be locked using this as well due to them running SMB. Apple devices can also be used as either attackers are victims. This is one issue that is going to be challenging to mitigate without massive amounts of collateral damage. This will be a case by case basis on how to deal with this problem.
The following article talks about this in detail. If you are seeing unusual access denied errors and have not detected malware, you may have been hit by Ghostlock or something similar. Contact ETC Maryland for an assessment of your situation.