In this video, you can see the how Wannacry works, specifically the killswitch. Basically a system affected by Wannacry tries to connect to the killswitch link, if it does the infection stops and the system does't get infected or the malware propagated. During the video I modified the killswith to point to localhost in order to demonstrate how the systems reacts when the killswitch server is not available. The solution used during this video is McAfee Active Response (MAR), this solution is McAfee Endpoint Detection and Response (EDR) able to trace the activity done by the endpoint when a suspicious file is executed. McAfee Active Response uses Open Data Exchange Layer (DxL) to share endpoint trace information and execute live search queries.
Blog dedicated to IT and security