DNSSecurity

DNS helped stop the WannaCry ransomware attack

In 2017, the world was confronted by a ransomware attack that demonstrated how DNS visibility and control are key to any layered security strategy.

Last updated: September 15, 2025

An avatar of the author
BlueCat
Abstract blue skull formed from digital code, symbolizing the WannaCry ransomware cyberattack and DNS-based threat defense
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.

The article examines the 2017 WannaCry ransomware outbreak and how a simple DNS sinkhole—created after a researcher registered an unregistered domain found in the malware—triggered a kill switch that halted propagation. It explains how DNS behavior was used to detect sandboxing and block command-and-control traffic, illustrating DNS visibility and control as critical elements of layered security and incident response. The piece emphasizes layered defenses, timely patching, and leveraging adaptive DNS infrastructures to centralize, automate, and use DNS data for faster risk assessment, patient-zero identification, and remediation.

How did registering a domain stop the WannaCry ransomware?

WannaCry included code that attempted to resolve a particular, initially unregistered domain as a sandbox-detection mechanism: if the domain resolved, the malware would terminate to avoid exposing behavior. A researcher registered that domain and pointed it to a sinkhole DNS server intending to collect telemetry. By doing so he inadvertently satisfied the malware’s check, causing infected instances to stop executing further malicious activity. The sinkhole also prevented infected hosts from reaching the malware’s intended command-and-control servers by blocking those DNS queries, which reduced further spread.

What role does DNS visibility and control play in incident response according to the article?

The article argues DNS visibility and control are critical for layered security and effective incident response. DNS can identify patient zero by showing initial DNS requests made by compromised devices and reveal lateral movement through DNS query patterns. With centralized DNS data and enforcement, teams can surgically remediate affected devices, block downloads of malware at the DNS layer, and prevent infected hosts from contacting command-and-control infrastructure—helping to contain incidents more quickly and precisely.

Why does the article recommend a layered defense and adaptive DNS infrastructure?

The article recommends layered defenses because WannaCry was designed to bypass sandboxing; multiple parallel protections cover each other’s gaps and limit attack success. It also promotes adaptive DNS infrastructures because centralizing and automating DNS services provides new data sources and enforcement points for security teams. With adaptive DNS, organizations can leverage DNS telemetry for risk assessment, compliance, and rapid action—blocking malicious downloads, detecting patient zero and lateral movement, and integrating DNS controls into a comprehensive security strategy.

The 2017 WannaCry ransomware attack was one of the most devastating of the decade, impacting individuals and organizations in over 150 countries. It crippled hospitals in the UK, shut down manufacturing lines, and upended people’s lives.

A few hours after the ransomware appeared, a 22-year-old security researcher found an unregistered domain in the code. After registering that domain (the memorable “iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com”) to create a DNS sinkhole so he could collect additional data, he unintentionally activated a kill switch that helped many affected.

The essential role of DNS sinkholing

The role that DNS played in thwarting this attack is fascinating. The malware was designed to try to resolve an unregistered domain to test whether it was executing in a sandboxed environment. If the malicious domain existed, WannaCry died to protect it from exposing any other behavior.

When the researcher spent $10 to register the domain, he only intended to set up a sinkhole server to collect additional information. Yet in doing so, he triggered that sandbox check. Ultimately, that subverted the attack by blocking malicious traffic from a single DNS server. Simple DNS concepts and actions were critical in identifying the core issue. These actions blocked the malicious command-and-control servers from receiving any DNS queries from infected devices.

This incident is a good demonstration of how visibility and control are critical to any layered security strategy. For example, a security solution that leverages DNS could have enforced policies on critical devices. This would have blocked the initial download of malware used in this attack. DNS also could have easily identified patient zero, enabling the incident response team to surgical address affected devices first.

The BlueCat platform provides immediate visibility into lateral movement and patient zero within a compromised organization’s network.

The importance of a layered defense strategy

BlueCat stresses the importance of a layered defense approach when it talks to customers about DNS security. Security must cover perimeters, the cloud, endpoints, the network, data, and applications.

The WannaCry attack was specifically built to get past sandboxing tools. To stop it, an enterprise needed parallel ways of blocking the malware’s attempts to connect with remote servers. The concept and benefit of a layered security approach is simple: A comprehensive implementation of different security solutions covers gaps in the others’ capabilities.

There are many lessons to learn from the WannaCry attack. Clearly, a comprehensive and vigilant update policy is a must. A multi-layered security policy is a smart strategy for information security officers. Yet the next logical step is to find new methods and new sources of data (like DNS) to assess risk, identify issues, and take immediate action.

Adaptive DNS infrastructures enable businesses to seamlessly centralize and automate DNS services. With that infrastructure in place, they can leverage DNS data for superior control, compliance, and security.

Published in:

DNSSecurity

Published on: May 17, 2017

An avatar of the author

BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.

Related content

Close-up of interlocked metal chain links symbolizing connected network objects and relationships in IPAM
Blog

How to map your network with user-defined links in Integrity X

Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.

Read more
Flock of geese flying in formation across a blue sky, framed by a pink graphic border, symbolizing coordinated network migrat
Blog

Automate your DDI modernization path by migrating with Micetro

Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.

Read more
Three armored figures walking toward a futuristic Las Vegas skyline with pyramids, glowing orb, and "Welcome to Fabulous Las
Blog

Your journey to intelligent NetOps begins at Cisco Live

Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.

Read more
Stacked colorful wooden directional arrows on a post by a calm seaside with distant hills and blue sky
Blog

Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)

Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.

Read more