How a DNS sinkhole stopped the “WannaCry” ransomware attack

Last week the world was confronted by a ransomware attack that affected hundreds of thousands of individuals and organizations in over 150 countries.

The “WannaCry” ransomware attack was one of the most devastating of the decade, impacting individuals and organizations in over 150 countries. The impact of this cyberattack was unprecedented – crippling hospitals in the UK, shutting down manufacturing lines and upending people’s lives.

A few hours after the ransomware appeared, a 22 year old security researcher found an unregistered domain in the code. After registering that domain (the memorable “”) to create a DNS sinkhole so he could collect additional data, he realized that he had also activated a “kill switch” that helped many that were affected.

The Essential Role of DNS sinkholing

As a company focused on DNS, it’s fascinating to see the role that DNS played in thwarting this attack. The malware was designed to try to resolve an unregistered domain to test whether it was executing in a sandboxed environment. If the malicious domain existed, WannaCry died to protect it from exposing any other of its behavior.  

When the researcher spent $10 to register the domain, his only intention was to set up a sinkhole server to collect additional information. Yet in doing so, he triggered that sandbox check, ultimately subverting the attack by blocking malicious traffic from a single DNS server. Simple DNS concepts and actions were critical in identifying the core issue, blocking the malicious command and control (C&C) servers from receiving any DNS queries from infected devices.

This incident is a good demonstration of how visibility and control are a necessary part of any layered security strategy. For example, a security solution that leverages DNS could have been used to enforce policy on critical devices, blocking the initial download of malware used in this attack. DNS also could have easily identified “patient zero”, enabling the incident response team to surgical address affected devices first.

BlueCat DNS Edge would provide immediate visibility into lateral movement and “patient zero” within a compromised organization’s network.

The Importance of a Layered Defense Strategy

When we talk to our customers about DNS security, we stress is the importance of a layered defense approach. Perimeter, cloud, endpoint, network, data and application security all have to be covered.

The WannaCry attack was specifically built to get past sandboxing tools. To stop it, an enterprise needed parallel ways of blocking the malware’s attempts to connect with remote servers. The concept and benefit of a layered security approach is simple: a comprehensive implementation of different security solutions covers gaps in the others’ capabilities.

There are many lessons that can be learned from the WannaCry attack. Clearly, a comprehensive and vigilant update policy is a must. A multi-layered security policy is the smart strategy for every CISO. Yet the next logical step is to find new methods and new sources of data (like DNS) to assess risk, identify issues, and take immediate action.

Adaptive DNS infrastructures enable businesses to seamlessly centralize and automate DNS services. with that infrastructure in place, they can leverage DNS data for superior control, compliance and security.

Subscribe to our blog

Get in touch

We’re the DDI provider you’ve been looking for.
Drop us a line and let’s talk.

Read more

Tales from the Edge: DNS is so much more than a phone book

A conversation on Edge and enterprise use cases with BlueCat’s Chief Strategy Officer, Andrew Wertkin, and podcast hosts Stephen Spector, & Rob Hirschfeld.

Read more
Cloud Discovery & Visibility Demo

Advanced DDI capabilities & visibility for your multi-cloud & private cloud environments

Read more
GAO report shows how difficult IPv6 migrations really are

How difficult are IPv6 migrations? A recent GAO report on DOD’s transition plan provides some sobering conclusions.

Read more
Manage compute seamlessly with the BlueCat OpenStack Adaptive Plug-In

The BlueCat OpenStack Adaptive Plug-In provisions compute to support updates for DNS name resolution across the enterprise.

Read more