Our sinkhole is designed to collect any and all HTTP requests to sinkholed domain for investigation purposes (these are then sent to a back-end database). What this means is that around the period when infections started being prevented the data on https://intel.malwaretech.com/botnet/wcrypt had almost pinpoint accuracy; however, as the news went global people began posting links to the sinkhole domains which people ended up clicking in their thousands.
Although we have ways to differentiate between regular and bot visits, this can only be done during data export, therefore graph data became less accurate as the sinkhole domain was posted around the internet. Data sent out for purpose of victim notification has already been filtered to ensure best accuracy possible, whereas graph data is unfiltered. As a result the graph data will show a slightly higher count than actual until the graph can be regenerated (this was supposed to be done immediately, but we have been busy dealing with attacks against our sinkhole infrastructure).
Until data can be exported, processed, then re imported; below is an accurate count of total non-browser connections to our sinkhole (these are almost all infections which have been stopped by our ‘kill-switch’ domain).
[Last Updated 2017-05-19 09:00 UTC]