The software contained a URL that, when discovered and registered by a security researcher to track activity from infected machines, was found to act as a “kill switch” that shut down the software before it executed its payload, stopping thespread of the ransomware. The researcher speculated that this had been included in the software as a mechanism to prevent it being run on quarantined machines used by anti-virus researchers; he observed that some sandbox environments will respond to all queries with traffic in order to trick the software into thinking that it is still connected to the internet, so the software attempts to contact an address which did not exist, to detect whether it was running in a sandbox, and do nothing if so. He also noted that it was not an unprecedented technique, having been observed in the Necurs trojan. On 19 May, it was reported that hackers were trying to use a Mirai bot net variant to effect adistributed attackon WannaCry’s kill-switch domain with the intention of knocking it offline. On 22 May, @MalwareTechBlog protected the domain by switching to a cached version of the site, capable of dealing with much higher traffic loads than the live site.