[cesarb]

> Two domains, one defuses the ransomware, the other detonates it.

And one of the domains will be called redwire[randomchars].com, and the other bluewire[randomchars].com. Which one do you sinkhole, the red wire or the blue wire?

[snowwrestler]

You just test both in a disposable environment, and then you know which one to sinkhole publicly.

The researcher in this case registered the domain right away because he had experience that that creates a positive result. Once that sort of thing starts creating bad results, then researchers will start testing more carefully before grabbing domains.

[eddyg]

This would be Very Bad if your ISP is one of those that intercepts NXDOMAIN responses and instead returns an A record to some other "helpful" thing... or some DNS provider that returns a "this site has been blocked by your administrators" page...

[tgb]

The article says this already is done in other malware.