Technical details of the ransomware continue to emerge as security researchers investigate.
The WannaCry ransomware "kill switch" a security researcher commandeered on Saturday that ultimately curbed the epidemic spread of the attack worldwide may not have been a kill switch after all, some security experts now believe.
Kevin Mandia, CEO of FireEye, said in an interview today that FireEye found four domains created by the attackers, and that rather than kill switches, the domains appear to be set up for evading virtual machines and sandboxes.
"A kill switch is the least elegant way not to run in a VM. They picked domains that don't exist," Mandia said. "Security tools do this [including FireEye's]: it serves up fictional domains to see the behaviors of the malware running. They didn't want to run the ransomware on VMs, and not have [those victims] pay the ransom."
A UK security researcher who goes by the handle @MalwareTech late last week inadvertently saved the day when he registered a domain whose address he spotted in the WannaCry malware, a move than resulted in a kill switch effect, sinkholing the infected machines that called out to that domain address. A second domain was found and sinkholed earlier this week.