> Two domains, one defuses the ransomware, the other detonates it.
And one of the domains will be called redwire[randomchars].com, and the other bluewire[randomchars].com. Which one do you sinkhole, the red wire or the blue wire?
You just test both in a disposable environment, and then you know which one to sinkhole publicly.
The researcher in this case registered the domain right away because he had experience that that creates a positive result. Once that sort of thing starts creating bad results, then researchers will start testing more carefully before grabbing domains.
This would be Very Bad if your ISP is one of those that intercepts NXDOMAIN responses and instead returns an A record to some other "helpful" thing... or some DNS provider that returns a "this site has been blocked by your administrators" page...
And one of the domains will be called redwire[randomchars].com, and the other bluewire[randomchars].com. Which one do you sinkhole, the red wire or the blue wire?