2

While new variants of Wannacry has sprung up, the old variant is still lurking around corners and I am not sure whether the following callback IPs and domains should be blocked as per typical ransomware playbooks/runbooks, since they now double as a kill switch to a sinkhole:

Domains:

  • iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

  • ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com

  • iuqerfsodp9ifjaposdfjhgosurijfaewrwergweb.com

  • iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com

  • ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com

IPs

  • 144.217.254.3

  • 144.217.74.156

  • 184.168.221.43

  • 217.182.141.137

  • 217.182.172.139

  • 52.57.88.48

  • 54.153.0.145

  • 79.137.66.14

Should the above be blocked? Or allowed to communicate to act as kill switch?

(This question is different from How is the “WannaCry” Malware spreading and how should users defend themselves from it? as the typical response is to block all C&C domains/IPs, but in this case, I'm not certain since the flawed C&C acted as a kill switch)

source

Anders
  • 64,406
  • 24
  • 178
  • 215
George
  • 739
  • 1
  • 6
  • 22
  • 1
    Possible duplicate of [How is the "WannaCry" Malware spreading and how should users defend themselves from it?](https://security.stackexchange.com/questions/159331/how-is-the-wannacry-malware-spreading-and-how-should-users-defend-themselves-f) – Serverfrog May 17 '17 at 15:12
  • 2
    that link above doesn't answer my question. mine is juxtaposing two options – George May 17 '17 at 15:54

1 Answers1

2

To act as a kill switch they must connect.

So the safest way to do it is probably to respond for them: when one of there domain/IP is requested, fake the answer.

Tom
  • 2,063
  • 12
  • 19