The Maze Ransomware Group is one of the most notorious threat actor groups targeting large enterprises, such as Cognizant, Xerox, and Canon, and stealing massive amounts of sensitive data. Some of their ransomware distribution methods include spamming, phishing, and brute forcing.

Although the group announced its shutdown in November 2020, its almost two-year operation left us with traces of its digital footprints—some of which are still currently active. WhoisXML API researchers examined the domain infrastructure known to be used by the group where we uncovered:

• 130+ domains bearing the same text strings as the indicators of compromise (IoCs) added since January 2020
• 300+ domains with the same top-level domain (TLD) extensions and nameservers as the IoCs
• 4,000+ domains with the same registrant email addresses as the IoCs
• 5,500+ related IP addresses to which 52% of the connected domains resolve

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Maze Ransomware Group IoC Expansion

Our investigation focused on publicly available IoCs, primarily three .top domains containing the text string “maze,” alongside “news” and “decrypt,” and a nameserver. With these insights and data points, Reverse WHOIS returned 437 domains. Note that thousands of domains shared the nameservers identified in our study, but we focused on the .top domains only to avoid as many false positives as possible.

Furthermore, the IoCs’ historical WHOIS records pointed us to three unredacted registrant email addresses. These addresses were used to register 4,197 domains at one point, potentially connecting them to the threat group.

Artifact Analysis: Content, Malicious Usage, Geolocation, and Administration

Content Hosted by the Connected Domains

More than half of the connected domains are currently active and resolve to 5,575 unique IP addresses. Most of these properties resolved to either error pages, phishing site warnings, or gambling content. Below are some website screenshots from Screenshot API.

Web server down:

Phishing site warning:

Gambling sites:

Malicious Usage

While we can argue that some of the artifacts we uncovered could have a coincidental connection with the Maze IoCs, we can’t discount the fact that hundreds of them have been flagged as malicious. In fact, 10% of the connected domains were malicious based on a bulk malware check dated 5 September 2022.

Only two malicious properties contained “maze,” and most of the malicious artifacts were connected to the IoCs via registrant email addresses and nameservers.

Location of Currently Active Maze Ransomware Artifacts

We determined the locations of the artifacts based on their registrant countries and IP address geolocations. Most of the artifacts were registered in China, although nearly 50% of the resolving properties were geolocated in the U.S. Canada came in as the second top IP geolocation, followed by China and Russia.

Administration Details

Bulk WHOIS results reveal that a majority of the artifacts were registered under PDR Ltd. (36%), followed by GoDaddy (14%), TurnCommerce (7%), Namecheap (4%), Media Elite Holdings (4%), Alibaba Cloud Computing (3%0, DropCatch (3%), TPP Wholesale (3%), Google (2%), and Domain International Services Ltd. (2%).

On the other hand, the currently active artifacts mostly resolved to IP addresses belonging to Cloudflare (41%). The other top Internet service providers (ISPs) include Hong Kong Mega Layer Technology (6%) and Google (4%). The rest of the top 10 are shown in the chart below. UAB, Stark Industries Solutions, OOO Network of Data Centers, and EGIHosting each had less than a 1% share of the IP resolutions.

The Maze Ransomware Group may have publicly bid goodbye to its malicious operations, but evidence suggests that some parts of its digital infrastructure are still active. Whether or not the same threat actors manage these properties, monitoring for utmost security might be required.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.