How a DNS sinkhole stopped the “WannaCry” ransomware attack

Last week the world was confronted by a ransomware attack that affected hundreds of thousands of individuals and organizations in over 150 countries.

The “WannaCry” ransomware attack was one of the most devastating of the decade, impacting individuals and organizations in over 150 countries. The impact of this cyberattack was unprecedented – crippling hospitals in the UK, shutting down manufacturing lines and upending people’s lives.

A few hours after the ransomware appeared, a 22 year old security researcher found an unregistered domain in the code. After registering that domain (the memorable “”) to create a DNS sinkhole so he could collect additional data, he realized that he had also activated a “kill switch” that helped many that were affected.

The Essential Role of DNS sinkholing

As a company focused on DNS, it’s fascinating to see the role that DNS played in thwarting this attack. The malware was designed to try to resolve an unregistered domain to test whether it was executing in a sandboxed environment. If the malicious domain existed, WannaCry died to protect it from exposing any other of its behavior.  

When the researcher spent $10 to register the domain, his only intention was to set up a sinkhole server to collect additional information. Yet in doing so, he triggered that sandbox check, ultimately subverting the attack by blocking malicious traffic from a single DNS server. Simple DNS concepts and actions were critical in identifying the core issue, blocking the malicious command and control (C&C) servers from receiving any DNS queries from infected devices.

This incident is a good demonstration of how visibility and control are a necessary part of any layered security strategy. For example, a security solution that leverages DNS could have been used to enforce policy on critical devices, blocking the initial download of malware used in this attack. DNS also could have easily identified “patient zero”, enabling the incident response team to surgical address affected devices first.

BlueCat DNS Edge would provide immediate visibility into lateral movement and “patient zero” within a compromised organization’s network.

The Importance of a Layered Defense Strategy

When we talk to our customers about DNS security, we stress is the importance of a layered defense approach. Perimeter, cloud, endpoint, network, data and application security all have to be covered.

The WannaCry attack was specifically built to get past sandboxing tools. To stop it, an enterprise needed parallel ways of blocking the malware’s attempts to connect with remote servers. The concept and benefit of a layered security approach is simple: a comprehensive implementation of different security solutions covers gaps in the others’ capabilities.

There are many lessons that can be learned from the WannaCry attack. Clearly, a comprehensive and vigilant update policy is a must. A multi-layered security policy is the smart strategy for every CISO. Yet the next logical step is to find new methods and new sources of data (like DNS) to assess risk, identify issues, and take immediate action.

Adaptive DNS infrastructures enable businesses to seamlessly centralize and automate DNS services. with that infrastructure in place, they can leverage DNS data for superior control, compliance and security.

Critical conversations on critical infrastructure

Find out how your peers are managing their networks through profound change. Watch this series of live interactive discussions with IT pros & join the debate in Slack.

Join the conversation

Read more

Six non-hype network automation lessons from IT pros

Five IT pros get real about network automation during the first Critical Conversation on Critical Infrastructure hosted in the Network VIP community.

Read more
BlueCat’s DDI Adaptive Plugins and Applications help IT teams better leverage ServiceNow, Ansible, Microsoft, and more

A growing suite of Adaptive Plugins and Applications will help automate existing BlueCat capabilities along with adjacent customer technologies.

Read more
BlueCat Overlay for Microsoft

With BlueCat Overlay for Microsoft, get visibility into Microsoft DNS and DHCP servers by relaying information back to your BlueCat Address Manager server.

Read more

With the ServiceNow Adaptive Plug-in, enable self-service IT requests with automated fulfillment, such as hostname and IP address provisioning.

Read more

Subscribe to our blog