WannaCry – block callback IP/domain?

While new variants of Wannacry has sprung up, the old variant is still lurking around corners and I am not sure whether the following callback IPs and domains should be blocked as per typical ransomware playbooks/runbooks, since they now double as a kill switch to a sinkhole:

Domains:

  • iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

  • ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com

  • iuqerfsodp9ifjaposdfjhgosurijfaewrwergweb.com

  • iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com

  • ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com

IPs

  • 144.217.254.3

  • 144.217.74.156

  • 184.168.221.43

  • 217.182.141.137

  • 217.182.172.139

  • 52.57.88.48

  • 54.153.0.145

  • 79.137.66.14

Should the above be blocked? Or allowed to communicate to act as kill switch?

(This question is different from How is the “WannaCry” Malware spreading and how should users defend themselves from it? as the typical response is to block all C&C domains/IPs, but in this case, I’m not certain since the flawed C&C acted as a kill switch)

source

Continue reading WannaCry – block callback IP/domain?