If EDR is so great, why are attackers still finding ways to disrupt businesses without triggering alarms?
That is the uncomfortable question raised by a newly disclosed proof of concept attack called GhostLock. Instead of encrypting files like traditional ransomware, GhostLock abuses legitimate Windows functionality to block access to files across local systems and network shares. The result is operational chaos without the usual ransomware indicators many security tools are trained to detect.
According to a recent report from BleepingComputer, the technique uses a legitimate Windows API called CreateFileW to lock files so other users and applications cannot access them. The attack can even be launched by standard domain users without administrative privileges.
That should concern every business leader.
A security researcher released a proof of concept tool named GhostLock that demonstrates how attackers can abuse normal Windows file-sharing behavior to deny access to files stored locally or on SMB network shares.
Instead of encrypting data, GhostLock opens files in exclusive mode using a legitimate Windows API parameter. Once that happens, other users and applications attempting to access those files receive sharing violation errors.
From the user perspective, critical business files suddenly become unavailable.
Finance teams may lose access to spreadsheets. Manufacturing systems may fail to retrieve production files. Legal departments may be locked out of documents. Shared business operations can grind to a halt even though the data itself was never encrypted or deleted.
The researcher specifically noted that this should be viewed as a disruption attack rather than destructive ransomware. However, the operational downtime can look very similar to a ransomware event.
Traditional ransomware usually modifies files through encryption. That behavior often creates detectable warning signs such as mass file writes, suspicious encryption activity, or unusual process behavior.
GhostLock takes a different approach.
The attack primarily generates legitimate file open requests using built-in Windows functionality. Since many EDR and behavioral security tools are focused on detecting malicious file modifications or encryption behavior, this type of activity may blend into normal operations.
This is another example of what security professionals call “living off the land” techniques. Attackers increasingly abuse trusted operating system features instead of deploying obviously malicious malware.
That creates a major challenge for organizations relying heavily on Detect and Respond strategies.
Modern attackers understand how traditional security products work.
Many endpoint tools focus on identifying known malware signatures, suspicious encryption activity, or malicious executables. But attacks today increasingly involve:
GhostLock highlights a growing security reality. Attackers do not always need sophisticated malware to cause business disruption. Sometimes they simply abuse features already trusted by the operating system.
This is one reason many organizations continue suffering damaging cyber incidents despite large investments in EDR platforms.
According to the IBM Cost of a Data Breach Report, the global average cost of a data breach reached $4.88 million in 2024. Meanwhile, breaches involving stolen or compromised credentials took an average of 292 days to identify and contain. Long detection timelines create enormous opportunities for operational disruption and lateral movement.
The Verizon 2025 Data Breach Investigations Report also found that credential abuse and exploitation of vulnerabilities remain among the most common initial attack vectors in real-world breaches.
Those statistics matter because attacks like GhostLock can easily become part of larger intrusion campaigns.
Yes.
In fact, the GhostLock researcher specifically warned that many EDR platforms may struggle to reliably identify this behavior because the activity appears as legitimate file operations rather than overtly malicious behavior.
Attackers increasingly understand how to bypass or overwhelm detection-based systems by:
This is not theoretical anymore.
Over the past several years, businesses have repeatedly seen attacks where adversaries disable security tools, abuse native Windows utilities, or move laterally without dropping traditional malware.
The problem is not necessarily that EDR tools are ineffective. The problem is that Detect and Respond assumes the attack is allowed to execute first.
That assumption creates risk.
Business leaders should view GhostLock as a warning about operational resilience.
Even temporary disruptions can create significant consequences, including:
For industries dependent on shared file environments such as healthcare, manufacturing, finance, legal services, and logistics, the operational impact could become severe very quickly.
The attack also creates a potential distraction opportunity.
While IT teams focus on restoring file access, attackers could simultaneously conduct data theft, credential harvesting, or lateral movement elsewhere in the environment.
Traditional security models largely focus on identifying malicious behavior after execution begins.
But modern attacks increasingly move faster than security teams can investigate and respond.
Attackers now routinely:
This is why many cybersecurity experts are shifting toward prevention-first architectures focused on Isolation and Containment.
Instead of assuming detection will succeed quickly enough, prevention-first security aims to stop unauthorized activity before execution can cause damage.
That includes:
A prevention-first approach helps stop attacks before encryption, disruption, or lateral movement begins.
Solutions such as AppGuard have focused on this model for years through Isolation and Containment strategies designed to prevent unauthorized actions at the endpoint level. AppGuard is a proven endpoint protection solution with a 10-year track record focused on prevention through Isolation and Containment.
Business leaders should assume that detection alone will eventually fail against some attacks.
That does not mean abandoning EDR. It means strengthening security posture with prevention and containment layers that reduce exposure before damage occurs.
Practical steps include:
Organizations should also closely examine how dependent they are on shared storage systems and whether temporary access disruptions could halt operations.
GhostLock demonstrates that attackers do not always need encryption to create ransomware-like business impact.
Sometimes simply denying access is enough.
Business owners who want to better understand how prevention-first security can stop attacks before damage occurs should talk with CHIPS about how AppGuard can help prevent incidents like this through Isolation and Containment.
Like this article? Please share it with others!