Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: smb (2 articles)Clear

Ransomware crews pose as Interpol to pressure small businesses into paying

Dark Reading reports a ransomware campaign that leans on impersonating Interpol to pressure small businesses, using straightforward social engineering rather than sophisticated tooling. By dressing up their demands as communications from the international police organization, the attackers try to intimidate owners and staff who may lack dedicated security teams into believing they are in legal trouble and paying up. The campaign spans several regions, including the United States, Europe, and the Middle East. It is a reminder that authority-themed impersonation remains effective against smaller organizations, where a convincing-looking notice can short-circuit normal caution and verification.

Check
Warn staff, especially at smaller organizations, that law-enforcement bodies like Interpol do not demand payment by email or pop-up, and that any such message should be verified through official channels before acting.
Affected
Small and mid-sized businesses without dedicated security teams, across the US, Europe, and the Middle East; attackers use Interpol-themed intimidation to rush victims into paying rather than verifying the demand's legitimacy.
Fix
Train employees to recognize authority-impersonation scams, verify any law-enforcement contact independently, maintain tested offline backups, and give staff a clear, judgment-free way to report suspicious demands before they act.

GhostLock proof-of-concept abuses Windows file-sharing API to disrupt file access without encryption

A researcher at Israel Aerospace Industries published a proof-of-concept tool called GhostLock that uses a legitimate Windows API call to make files unreadable without encrypting anything. The technique abuses the dwShareMode parameter of CreateFileW - setting it to 0 grants the calling process exclusive access, so every other user or app trying to open the file gets a sharing violation. GhostLock automates this recursively across SMB shares from a standard domain user account, no elevation required. Researcher Kim Dvash frames it as a disruption attack, not destructive - data is not lost, but operational downtime can mirror a ransomware incident.

Check
Review your EDR and SIEM detection rules for behavior-based ransomware indicators. Verify they cover sharing-violation spikes and ShareAccess=0 file-open counts, not just mass file write or encryption activity.
Affected
Windows file servers and SMB shares in environments where any standard domain user account can authenticate. No CVE has been assigned - GhostLock abuses intended Windows file-sharing behavior, not a flaw. Behavioral detection systems focused on mass writes or encryption operations will not flag this attack pattern; the attack also requires no elevation.
Fix
Implement detection at the file server layer: monitor per-session open-file counts with ShareAccess=0 - the reliable signal Dvash identifies, which lives in storage platform management interfaces, not Windows event logs or EDR telemetry. Pull the SIEM queries and NDR rule from the GhostLock whitepaper as a detection template. Limit which domain user accounts have read or write access to critical shares.