While new variants of Wannacry has sprung up, the old variant is still lurking around corners and I am not sure whether the following callback IPs and domains should be blocked as per typical ransomware playbooks/runbooks, since they now double as a kill switch to a sinkhole:
Domains:
iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
iuqerfsodp9ifjaposdfjhgosurijfaewrwergweb.com
iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com
ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com
IPs
144.217.254.3
144.217.74.156
184.168.221.43
217.182.141.137
217.182.172.139
52.57.88.48
54.153.0.145
79.137.66.14
Should the above be blocked? Or allowed to communicate to act as kill switch?
(This question is different from How is the “WannaCry” Malware spreading and how should users defend themselves from it? as the typical response is to block all C&C domains/IPs, but in this case, I'm not certain since the flawed C&C acted as a kill switch)