VMRay Managing Director Carsten Willems on the balcony
Technologies of the future

Technologies of the future

The sandbox trick

German cybersecurity provider VMRay uses smart security technology to help the world’s most valuable corporations fight hacker attacks. KfW Capital has made several investments in the fast-growing company from Bochum.

A harmless-looking link in an email takes the user to a page where a malicious program is downloaded without the user noticing it. The damage the program causes, such as file encryption with ransom demands for decryption, is evident only when it becomes active. How can such files be tested without exposing users to risk?

Sandbox: how to make malware harmless

In a controlled environment, isolated from the company IT, suspect files are observed and documented. Harmful code can also be executed there and identified as malware. Conventional methods, such as anti-virus software, are only able to detect malware that already has a digital fingerprint. The sandbox method also exposes unknown malware.

Ralf Hund and Carsten Willems, founders of the start-up VMRay in Bochum, had an idea called “sandbox”. VMRay’s system quickly identifies which files are harmless and which need to be blocked. This is decided automatically by the software.

Willems calls this “behaviour-based detection of malicious code”. In his thesis, Willems proposed an invisible type of sandbox because around half of the ever-increasing malware attacks were able to detect being in a sandbox. VMRay has been using technology on this basis for eight years. It also detects previously unknown malware – a major benefit in the fast-paced and constantly growing IT security market.

Although IT security products from other manufacturers can also detect unknown malware, perform dynamic analyses and run malware in a sandbox, VMRay’s sandboxes are especially efficient, creating a protective layer to defend IT systems against external attacks. The aim is to form a tightly meshed, multi-layered system. If a cyberattack slips through one layer of security technology, it should be stopped by another. VMRay’s sandboxing technology for detecting and analysing advanced malware is an important component in a multi-level security concept.

VMRay, RIPS Technologies and Rhebo: Young enterprises address the dangers of cybercrime
The sandbox method

Malware is identified, analysed and removed from circulation within a secure environment.

Grants and investments

VMRay’s business plan soon received funding from the Ministry of Education and the Ministry for Economic Affairs. Other investors in the start-up included the High-Tech Start-up Fund (High-Tech Gründerfonds) and the eCapital and Digital+ venture capital funds. KfW Capital has invested in all three with support from the ERP Special Fund. “The investments were important,” explains Carsten Willems, “they allowed us to grow much faster, and no one with the same idea was able to overtake us”.

VMRay, RIPS Technologies and Rhebo: Young enterprises address the dangers of cybercrime
Creative defence

Anti-virus programmes alone are not enough to counter cybercrime.

And so, in just eight years, the sandbox idea and the PhDs of two students have grown into a unique business in the IT world, which now works together with MIT in Boston. VMRay employs over 100 people in Europe, Asia, the Middle East and the USA. The company provides no information on turnover or profit.

For security reasons, most clients wish to remain anonymous, but the list includes industrial groups, accountancy firms, technology giants, government and research institutions from all over the world, as well as some of the largest financial and insurance companies.

Figures and attacks

According to the Federal Office for Information Security report “Die Lage der IT-Sicherheit in Deutschland 2020”, there were an average of 322,000 new malware variants per day in 2020. According to VMRay, 99.9 per cent of these are variants of known programmes that have been modified to prevent detection by security systems.

Email remains the primary vehicle for malware

The outlook is good: the market for innovative security technologies is growing every year. The ongoing digital transformation in the private and public sectors is opening up a multitude of new opportunities and business models, thereby increasing the scope of attack for advanced malware. Email remains the primary vehicle for malware.

The main aim of financially motivated cyberattacks is to make a profit, for example, by extorting a ransom or selling copied data on the Darknet. Politically motivated cyberattacks, on the other hand, are often aimed at disrupting important services such as energy supplies, or at copying highly confidential data.

Spectacular attacks

The well-known “Stuxnet” cyberattack destroyed Iranian uranium centrifuges in 2010. Among the most well-known targets of successful attacks have been the German Bundestag and Ukraine’s electricity supply, both in 2015. In May 2017, a major cyberattack called “WannaCry” was launched, infecting over 230,000 computers in 150 countries in an attempt to extort ransoms.

Targeted malware attacks on a specific industrial sector or businesses and authorities are now almost a daily occurrence, explains VMRay. Malware is often programmed to become active only on the computer systems of the targeted organisation.

“Today, almost any important data is available digitally,” says Willems. “An attack is much more profitable now than 20 years ago”. What has developed is “a hacker industry on the one hand and a large security industry on the other”. VMRay is a major player in providing security against attacks.

Published on KfW Stories: 14 June 2021.