{
	"id": "f07d517f-9b6c-4024-9ac5-181469ca55a8",
	"created_at": "2026-04-06T00:12:54.577329Z",
	"updated_at": "2026-04-10T03:24:24.83979Z",
	"deleted_at": null,
	"sha1_hash": "f0bfabe07de259b2348a3e0c236a4747b57fe2b4",
	"title": "Translated: Talos' insights from the recently leaked Conti ransomware playbook",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 302625,
	"plain_text": "Translated: Talos' insights from the recently leaked Conti\r\nransomware playbook\r\nBy William Largent\r\nPublished: 2021-09-02 · Archived: 2026-04-05 15:03:49 UTC\r\nThursday, September 2, 2021 08:02\r\nExecutive summary\r\nCisco Talos recently became aware of a leaked playbook that has been attributed to the\r\nransomware-as-a-service (RaaS) group Conti. Talos has a team of dedicated, native-level speakers\r\nthat translated these documents in their entirety into English. We also translated a Cobalt Strike\r\nmanual that the authors referenced while creating their playbook.\r\nThese documents, written mostly in Cyrillic, were allegedly released by an affiliate upset with Conti. We believe\r\nthat this translation is an extremely important contribution to the community, as machine-translated efforts have\r\nmissed some interesting insights and led to some garbled passages.\r\nNotably, the LockBit operator we interviewed warned us that something like this would take place. They stated\r\nthat in a ransomware cartel, \"Someone will sell them out from the inside,\" which is allegedly what took place in\r\nthis case. The LockBit operator also told us that ransomware actors use various channels on the messaging app\r\nTelegram to stay on top of the latest exploits and attack trends. A look into a list of Telegram channels deemed\r\ninteresting by the playbook authors shows numerous channels that were potentially leveraged for this exact use.\r\nTalos' main takeaway from this playbook is that operators of all skill levels are involved with Conti. Some\r\nadversaries who are very new to the malware scene could follow this playbook to compromise a major, enterprise\r\nhttps://blog.talosintelligence.com/2021/09/Conti-leak-translation.html\r\nPage 1 of 7\n\nnetwork with relatively little experience. At the end of this post, we've attached a full English translation of the\r\ndocuments.\r\nTranslation notes\r\nWhile translating, our linguists discovered many grammatical mistakes, potentially indicating the\r\nwriting process was rushed. But based on the language used, the authors likely possess at least a\r\nhigh school education. It is unclear whether the document was originally written entirely in\r\nRussian or they machine translated some English-language documents and included them in the\r\nplaybook. The document contains some peculiar word choices that could be caused by auto-translation, or just poor writing. The playbook contains transliterated abbreviations, words and\r\nphrases, though this could be because there are no equivalents in Russian or the authors were\r\nunaware or preferred not to use them. However, even if it included machine translations, the\r\nplaybook was likely later reviewed and edited to sound natural for a Russian-speaking audience.\r\nRegardless, it is clear that the authors pulled information from a variety of open-source materials\r\nin compiling the document. There are French passages present in various documents, as well, but\r\nonly as examples of Cobalt Strike output, likely indicating that they were created during or copied\r\nfrom an attack targeting French companies.\r\nInsights into the adversary\r\nReferences to team leads, chats and conferences indicate that the group is at least somewhat well-organized. They also display a familiarity with corporate network environments, such as where\r\nprized assets are located and how to access them. This is particularly true for U.S. and European\r\nnetworks, which they note have enhanced documentation that provides for easier targeting. Of\r\nnote, the only \"geographical\" mention by the adversaries was the mention of U.S./EU active\r\ndirectory (AD) structures. Their instructions, which are meticulous and easy to follow, also\r\ndemonstrate that they are efficient and methodical.\r\nThrough the leaker's posts, we learned that the alleged salary for a Conti pentester was around $1,500 USD.\r\nSeveral dark web posts noted that this was relatively low and others said it is more profitable to be legitimately\r\nemployed than to work with Conti, based on their low payments as a whole.\r\nActors discuss low payments for Conti.\r\nhttps://blog.talosintelligence.com/2021/09/Conti-leak-translation.html\r\nPage 2 of 7\n\nInsights into the leaker  \r\nFrom information derived from the dark web, we learned the alleged identity of the leaker is\r\n\"m1Geelka.\" This is apparently a young individual who was a lower-level member of Conti.\r\nm1Geelka claims that they are not a pentester but are interested in IT.\r\nBased on information from their Telegram account, they appear to be based in Ukraine. M1Geelka claimed they\r\nwere not paid by Conti for their services, prompting them to release this information to exact revenge on Conti.\r\nPost containing the initial leaked documents.\r\nLater, they claimed they leaked the documents to better understand Conti and not for revenge, and they only\r\nleaked elements that could be detectable by anti-virus (AV) software, not more private elements, since the leaker\r\nrespects the work of their coders.\r\nhttps://blog.talosintelligence.com/2021/09/Conti-leak-translation.html\r\nPage 3 of 7\n\nm1Geelka clarifies their reasons for leaking the documents.\r\nBarrier to entry  \r\nOne of the biggest takeaways during the translation was the overall thoroughness and detail of\r\nthese playbooks. The level of detail provided could allow even amateur adversaries to carry out\r\ndestructive ransomware attacks, a much lower barrier to entry than other forms of attacks. This\r\nlower barrier to entry also may have led to the leak by a disgruntled member who was viewed as\r\nless technical (aka \"a script kiddie\") and less important.\r\nHunting for admin access\r\nThe adversaries list several ways to hunt for administrator access once on the victim network.\r\nThey use commands such as Net to list users and tools like AdFind to enumerate users with access\r\nto Active Directory, and even OSINT, including the use of social media sites like LinkedIn to\r\nidentify roles and users with privileged access. They note that this hunting process is particularly\r\neasy in U.S. and EU networks because of how they are structured and how roles and\r\nresponsibilities are commonly detailed in comments.\r\nCobalt Strike\r\nThe primary tool described in this playbook is the red-teaming framework Cobalt Strike. The\r\nrelease included a version 4.3 of Cobalt Strike, and the JARM hash for the server matched what\r\nwe would expect from a cracked Cobalt Strike server. The tool worked well. The playbook also\r\npulled heavily from a Russian-language manual describing how to conduct attacks against Active\r\nDirectory. We identified the Russian manual the authors were leveraging, and have translated\r\nand included it as well in this report.\r\nhttps://blog.talosintelligence.com/2021/09/Conti-leak-translation.html\r\nPage 4 of 7\n\nThe Cobalt Strike version included in the playbook.\r\nTools listed by the adversary\r\nBesides Cobalt Strike, our linguists identified several other tools and native Windows utilities\r\nlisted in the playbook. Of the tools and utilities mentioned, many have been commonly associated\r\nwith previous ransomware operations, while others appear to be less familiar. Of the tools and\r\ncommand-line utilities the adversary mentioned, Talos identified those that have been commonly\r\nused by ransomware operators for reconnaissance and discovery, such as the use of ADFind to\r\nquery for information on Active Directory (AD), and whoami to enumerate groups the user is a\r\nmember of.\r\nThese actors also appear to be using two tools — Armitage and SharpView — that are not commonly seen in\r\nCisco Talos Incident Response (CTIR) ransomware engagements. Armitage is a red-team toolkit built on the\r\nMetasploit framework that enables the user to launch exploits, scans, and more, while SharpView is a .NET port\r\nof PowerView, one of many tools contained within the PowerSploit offensive PowerShell toolkit.\r\nSharpChrome and SeatBelt — two other tools we have not seen used in CTIR ransomware engagements — were\r\nalso used for credential-dumping. SharpChrome is a Chrome-specific implementation of SharpDPAPI and\r\nhttps://blog.talosintelligence.com/2021/09/Conti-leak-translation.html\r\nPage 5 of 7\n\nattempts to decrypt logins and cookies. SeatBelt is a project written in C# that collects system data such as OS\r\ninformation (version, architecture), UAC system policies, user folders and more.\r\nComparisons to previous ransomware IR engagements involving Conti\r\nOnce our linguists translated the documents, we compared some of the techniques mentioned in\r\nthe manuals and guides with activities and TTPs we have observed in CTIR engagements that\r\ninvolved the Conti ransomware. In many ransomware engagements, CTIR typically observes the\r\nadversary using PowerShell to disable Windows Defender real-time monitoring. This is in\r\ncontrast to the adversary's instructions to manually disable real-time monitoring, which is much\r\nmore interactive and time-consuming.\r\nHowever, PowerShell wasn't the only tool mentioned by these adversaries to disable Windows Defender — the\r\nadversaries suggest using GMER as an alternative. GMER is a tool CTIR has observed across a few ransomware\r\nengagements, including at least one Conti engagement. GMER is marketed as an \"anti-rootkit\" tool and has been\r\nused by ransomware actors to identify protections and AV and to stop or remove them. Monitoring for the\r\nexecution of GMER could help identify precursor activity to ransomware events. Since GMER hasn't been\r\nupdated in several years, hash-based tracking is easy and effective.\r\nCTIR assessed in at least one Conti engagement with a high degree of confidence that the adversary potentially\r\nhad access to every account within the active directory (AD) environment. This is interesting given that the leaked\r\nConti documents contain a number of techniques and advice on AD hunting in the victim environment. The\r\naccounts the adversary leveraged in at least one CTIR engagement also included Administrator and IT accounts,\r\nboth of which were emphasized as valuable targets for AD hunting in the leaked playbook.\r\nThe adversaries also included instructions on CVE-2020-1472 Zerologon exploitation in Cobalt Strike. In a\r\nprevious Ryuk ransomware engagement from Q2 2021, we observed the adversary access several additional\r\nresources within that environment and employ a privilege escalation exploit leveraging CVE-2020-1472 to\r\nimpersonate a domain controller. Talos first started observing Ryuk adversaries using the Zerologon privilege-escalation vulnerability in September 2020 and continued updating their attacks on the health care and public\r\nhealth sectors in October. Some researchers have described Conti as the successor to Ryuk.\r\nThis documentation allows both seasoned criminals and those newer to the scene the ability to conduct large-scale, damaging campaigns. This shows that although some of the techniques used by these groups are\r\nsophisticated, the adversaries carrying out the actual attacks may not necessarily be advanced.\r\nAdditionally, this translation will provide defenders with a more complete view into the TTPs of these actors. This\r\nis an opportunity for defenders to make sure they have logic in place to detect these types of behaviors or\r\ncompensating controls to help mitigate the risk. This translation should be viewed as an opportunity for defenders\r\nto get a better handle on how these groups operate and the tools they tend to leverage in these attacks.\r\nFull translation\r\nhere in pdf.\r\nthe txt files via zip.  \r\nhttps://blog.talosintelligence.com/2021/09/Conti-leak-translation.html\r\nPage 6 of 7\n\nSource: https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html\r\nhttps://blog.talosintelligence.com/2021/09/Conti-leak-translation.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html"
	],
	"report_names": [
		"Conti-leak-translation.html"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434374,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f0bfabe07de259b2348a3e0c236a4747b57fe2b4.pdf",
		"text": "https://archive.orkl.eu/f0bfabe07de259b2348a3e0c236a4747b57fe2b4.txt",
		"img": "https://archive.orkl.eu/f0bfabe07de259b2348a3e0c236a4747b57fe2b4.jpg"
	}
}