This Wired article suggests two options for why the WannaCry ransomware trojan had a killswitch URL: the creators "wanted to rein it in", or to interfere with forensic analysis. But I've heard a third - to my mind, more plausible - option: WannaCry was work-for-hire, for a percentage of the proceeds. The programmer, not the deployer, added the killswitch in case the deployer stopped paying out. https://www.wired.com/2017/05/accidental-kill-switch-slowed-fridays-massive-ransomware-attack/