I believe the malware was designed to do that as part of a way to test and see if it's in a sandboxed environment if someone was trying to analyze it. If I understood this correctly, checking the domain was a way to do that (although I might be completely wrong).
It was explained quite clearly in the article. Sandboxed environments will generally have a catch all that replies to any IP requests with a sinkhole server. To prevent analysis, it'd do a lookup to a known unregistered domain and if it got back an IP address (which should not happen except in the sandbox with an unregistered domain) then it quits because it assumes it's sandboxed and being analyzed.
I still can't understand how the malware authors could be so smart (or, if not smart, at least competent enough to build ransomware from scratch, make it wormable with ETERNALBLUE, and launch a massive and effective spam campaign) and yet so stupid.
They could've achieved the same sandbox detection effect by just registering the domain and pointing it at 1.1.1.1 or whatever. The non-sandboxed connections would still fail, and no one else could take the domain.
I find it interesting that they didn't randomize a couple of long strings and tried to resolve those instead like the article mentioned has been done in the past
I would guess that a simple DNS/HTTP works just as well. In contrast checking for vmware processes or similar would probably result in a code signature that can be picked up much more easily by malware scanners.