[roblabla]

His goal was to kill the malware. Registering the (unclaimed) domain in the binary was supposed to be step 0 to this. Such a domain would almost certainly act as a control center of some sort. You can claim it while it's still available and analyze the malware or even just the traffic reaching your domain to try and neuter it. Even if there's no killswitch, maybe sending invalid data will cause the malware to malfunction and effectively stop its spread for example.

The fact that just registering the domain killed WannaCry wasn't expected, but his intent was to kill the virus from the start, that's no accident.

[kortex]

Also, I think the key point to reflect on here, Marcus had the domain knowledge and intuition to know where to start hacking literally within minutes/hours of plugging back in and getting the source.

[heipei]

"Would almost certainly", yeah, in most cases. But, and this is something that didn't get talked about enough, what if registering the domain actually caused the malware to nuke the host system instead? Think of it as a kill-switch to deter malware researchers that only superficially reverse-engineered a sample before jumping to action. Viewed from that light, just registering the domain because you saw your sandbox talk to it looks more than reckless...

[roblabla]

We're talking about WannaCry here. It's a ransomware that already more or less nukes the host system. It encrypts the files with strong encryption, which is the same as shredding them if you don't have the ransom money. Sure, the malware author could go further and harm the system physically (e.g. forcefully overheat the CPU or something), but that's actually surprisingly hard to do reliably ^^.

Besides, history tells us that those malwares won't really have such "nuking" functionality. Gating it on the presence of a server is ridiculous, and would be found out eventually when the virus runs in a weird environment where, for instance, every DNS queries resolve (e.g. hotel WiFi).