The WannaCry ransomware was originally halted by the UK cybersecurity researcher who goes by the name MalwareTech. He “accidentally” stopped the rapidly spreading infection by registering a domain name (9iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) that he found in WannaCry’s code, without knowing what its effect would be. The domain turned out to be a kill switch left in the code to stop the ransomware’s propagation. (The act of registering the domain name halted the malware’s spread.)

After the initial WannaCry kill switch was found, researchers predicted that variants would soon appear that were harder to stop. Suiches analyzed two new variants that appeared yesterday, and found that one of them contained a similar kill switch mechanism, but using a different domain name (ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com). He registered the new domain about 20 hours ago, and infection rates have plummeted.

The number of active, infected, machines overall is down to the hundreds now, from about 200,000 machines just two days ago, according to data collected by MalwareTech. In the chart below, “online” indicates whether a machine is still connected to the internet and capable of spreading the malware:

The worst is not quite over. Yet more variants will appear, and large organizations must scramble to install a fix released by Microsoft to prevent further infections and propagation. Until those variants crop up, as Suiche observed, just two domain names stand between the world and total anarchy on the internet.