CurveLock: Exploring Elliptic Curves Implementation in Modern Ransomware

The rapid evolution of ransomware poses a significant threat to society, with attackers continuously developing advanced evasion techniques and encryption methods to bypass detection and maximize impact. This study examines the future of ransomware encryption and the increasing ubiquity of Ransomware-as-a-Service (RaaS), which allows even non-technical individuals to execute elaborate attacks. We present CurveLock, a proof-of-concept malware intended to showcase the advanced capabilities of next generation ransomware. CurveLock utilizes elliptic curve cryptography(ECC) in conjunction with the Diffie-Hellman key exchange to generate AES-256 encryption keys, hence securing strong and efficient file encryption. This method not only improves cryptographic resilience but also reduces computational burden, making it more scalable for extensive largescale attacks. Additionally, CurveLock incorporates multiple evasive measures, such as NT Layer DLL (NTDLL) unhooking, Application Programming Interface (API) hammering, and compile-time Import Address Table (IAT) camouflage,to evade detection by modern security solutions. By analyzing CurveLock’s architecture and techniques, this paper highlights the increasing sophistication of ransomware and underscores the urgent need for advanced defensive strategies.