Honestly, how stupid were the malware authors to use standard DNS for a domain that could take down their shit when they use Tor for the actual key and address communication and everything... it's like they half understood what they were doing.
Well, I guess maybe they didn't want things to get too out of hand and now if they want they can be back up soon with that fixed.
> it's like they half understood what they were doing.
And that's exactly what is so wrong about the NSA and others not being good stewards of their own bloody malware. A lot of these criminals would not be able to get their act together at this level without being partially funded by the three letter agencies. Think of it as an advanced form of script kiddies, they can use the tools and wrap them but they could not come up with those tools of their own accord.
It's all explained in the article. It is a sandboxing detection method, some environments resolve all DNS requests to a host that captures all traffic. It's still stupid but there is a reason for this behaviour.
They were clever enough to execute this attack, collect over £160k according to the last estimate I've seen (likely way more now), and achieve that in one day. You seem to underestimate them including assumptions that this was simply missed. There are many potential scenarios where this is beneficial to the authors.
As with all SW development, there are always a lot of things that they "could have" or "should have" but every day you wait with malware which has a know patch out means less spread for you. So they probably made the decision to just get it out as quickly as possible even if it was not perfect.
Well, I guess maybe they didn't want things to get too out of hand and now if they want they can be back up soon with that fixed.