encryption operations Archives

Winsage

May 11, 2026

New GhostLock tool abuses Windows API to block file access

A security researcher has developed a proof-of-concept tool called GhostLock, which exploits a vulnerability in the Windows file API, specifically the 'CreateFileW' function. By manipulating the 'dwShareMode' parameter to grant exclusive access to files, GhostLock can prevent other users or applications from opening those files, resulting in a 'STATUSSHARINGVIOLATION' error. The tool automates the process of opening multiple files on SMB shares, causing access disruptions without requiring elevated privileges. This technique is intended as a disruption attack rather than a destructive one, similar to ransomware, and can serve as a diversion during intrusions. Detection of this attack relies on monitoring the open-file count with ShareAccess set to 0 at the file server layer. Dvash has provided resources for IT teams to enhance detection capabilities against this threat.

Winsage

April 23, 2026

Engineering secure passkey sync in Microsoft Password Manager

Passkeys are a new form of authentication that replace traditional passwords, providing a phishing-resistant and streamlined sign-in process. Microsoft Password Manager allows users to save and synchronize passkeys across devices linked to their Microsoft accounts, enhancing accessibility. The architecture for passkey syncing includes confidential computing for sensitive operations, hardware-rooted key protection for encryption keys, tamper-evident recovery storage, and encrypted synchronization across devices. Sensitive passkey operations are executed in Azure's confidential computing environments, ensuring cryptographic materials are processed securely. The encryption keys are protected using Azure Managed HSM, with access governed by attestation-based mechanisms. Registration and recovery processes require user authentication and enforce security measures within confidential computing boundaries, including a lockout state after consecutive incorrect PIN attempts. The system aims to provide a secure and user-friendly experience as part of a transition to a passwordless future.

Winsage

July 10, 2024

Eldorado Ransomware Targeting Windows and Linux with New Malware

- Eldorado ransomware attacks have significantly increased, targeting various industries with cross-platform encryption operations. - Affiliates of Eldorado ransomware are actively seeking skilled partners on RAMP ransomware forums, posing a threat to users, especially those on Linux servers. - RAMP forum has promoted 60% of new RaaS programs between 2022 and 2023, indicating a growing demand for skilled affiliates in the ransomware landscape. - Eldorado ransomware utilizes advanced encryption algorithms on Windows and Linux platforms, leveraging SMB protocol to encrypt large files on victim networks. - Until June 2024, Eldorado ransomware attacks have targeted 16 companies across different countries and industries, with the US being the most affected.