ThreatSTOP Tools & Action For Visibility Fighting Ransomware & WannaCry

Protecting and empowering our valued customers is always a top priority at ThreatSTOP. Today, we're taking additional action to deliver better protection and greater visibility related to the WannaCry ransomware attack.

We're also putting better, faster mitigation tools in place for attacks like these that will inevitably happen in the future. An attribute unique to WannaCry is a kill switch–a handful of domains that if successfully resolved will prevent an infected machine from encrypting files. It should be noted, any machines querying these domains are almost certainly infected with WannaCry.

What We’re Doing to Help You:

• The kill switch domains for WannaCry are being added to our global whitelist with an RPZ action of PassThru. If you are a ThreatSTOP DNS Firewall user, this will impact your policy when it next updates following our implementation.

How This Helps:

• If you have machines on your network that are infected, and their DNS queries are being handled by a DNS server running ThreatSTOP, the queries to the kill switch domains will be allowed (preventing encryption), and logged for your team to rapidly identify and remediate infected machines. If you’ve already added User Defined List Allow entries for these kill switch domains, this change won’t impact you as UDL’s will continue to take precedence.

If you have questions, please don’t hesitate to contact ThreatSTOP support at  or 760-542-1550.

If you don't have ThreatSTOP and are interested in a free trial or learning more - .  

The ThreatSTOP Team