Inexperience. These ransomwares aren't written by good programmers. They're put together like lego by people who have barely graduated from copy-paste script kiddie level. For example it's pretty common that botnet C&C systems have basic SQL injection vulnerabilities etc. These people aren't security gurus, they just wait until there's a proof of concept exploit of some public vulnerability posted on a hacking forum/chat and then plug that into their prepackaged ransomware kit.

It's testing to see if its C&C servers are being MITM for analysis. It does this by checking a bunch of random domains and seeing if they all resolve to the same IP. A completely random domain, rather than a hard-coded random domain, would do just as well, but that's not what was coded in.

Or even just sha256(unixtime().rand()).com

Or a domain in a TLD that allows only second level TLDs (such as some of the commonwealth countries).

> sha256(unixtime().rand()).com

Yep, that's the way to do it.

That gives you 64 characters to the left of the dot. The maximum number of characters allowed in any single component of a domain name is 63. Some systems might react in unexpected ways if you try to resolve an invalid domain name, making your check unreliable. Better use md5 or sha1.

Well, that'd be an implementation detail, but the general concept stays the same.

And is superior to hardcoding.

If it's not registerable it's not functional as a kill switch?

It's not supposed to be a kill switch. (Even though it works as one.)

The domain check is there to detect whether the infection is running in a sandbox environment. If the domain check succeeds, it assumes it's being analyzed and aborts.

Or at least that's the prevailing theory.

Is there some fundamental reasons why the domain check would always succeed in a sandbox? Would this not be simple to workaround by security researchers?