Security Experts:

Malware Sandboxing Firm VMRay Raises $10 Million

Bochum, Germany-based VMRay has closed a $10 million Series B funding round led by Digital+ Partners, bringing the total raised to date to just under $14 million. The money will be used in both marketing and R&D. R&D is based in Germany, while all customer-facing operations are run from Boston, Mass.

VMRay is focused on detecting the malware that other defenses might miss. It does this through a dynamic analysis sandbox that is undetectable by the malware it analyzes. 

Although the firm was founded in 2016 by Carsten Willems and Ralf Hund, its naissance goes back further. Current VP of sales and marketing, Chad Loeven, told SecurityWeek that he had been contacted by Willems more than a dozen years ago, and given the brief of commercializing the German's master's thesis work. The result led to the world's first commercial sandbox, predating even FireEye. Between 2006 and 2010 this was sold widely to government and three-letter agencies. But it wasn't good enough -- it could be detected by the malware it sought to analyze.

Willems went back to school to work on the perceived weaknesses. Ralf Hund was a contributor in the development of an alternative sandbox approach, known as Anubis, that ran out of Vienna university and was commercialized by LastLine,  but there are weaknesses in both approaches. Together they developed the third approach that led them to founding VMRay in 2016 and bringing Loeven back.

The new VMRay sandbox, explains Loeven, "is an agentless hypervisor approach that builds a better matrix. There's no Agent Smith that can be detected by the Keanu Reeves malware. The malware does exactly what it is intended to do and is fully confident that it is in its target environment."

To put this in context, if the examined file is a Brazilian banking trojan, the sandbox will give it what it wants -- a Brazilian IP and Portuguese language settings. It can do this because it is located at the gateway and is not limited by desktop constraints. "VMRay returns the exact answer that the malware seeks, so that it keeps working. Because it continues running, it can be analyzed for bad behavior, ultimately aggregating the behaviors into a verdict," explains Loeven.

The product effectively has three components: a reputation engine that can filter out known bad files in milliseconds; and a static analysis engine for attachments, URLs and potentially malicious components. These two components equate to standard anti-virus defenses. The third component, however, is the dynamic analysis sandbox. 

"The USP or value proposition," said Loeven, "is that VMRay doesn't just detect the 99.5% of malware detected by all other AV vendors, but also the half percent that they miss. This probably isn't important for smaller companies and consumers, but we're not selling to these markets. Where that gap is important -- that 0.5% that goes undetected -- and where it is a very big deal is when it is targeted directly at major organizations: defense contractors, government agencies, financials, Fortune 500s and so on. Big organized crime gangs and state-sponsored actors are willing to spend the time to figure out how to compromise these targets with unknown malware that can detect other sandboxes."

"The most effective security teams today are not reactively responding to new threats," comments Andy Pendergast, VP of product for ThreatConnect, "but rather arming their teams with the advanced tools they need to identify tactics, techniques, and indicators of compromise at the earliest phase of the threat lifecycle. This is precisely what VMRay's platform enables us to do, giving our customers the critical visibility and intelligence they need to defend their network from tomorrow's advanced threats."

The new funding, explained Loeven, "The funding will go to marketing and R&D. With this new round we're doubling down on expanding our reach into the security ecosystem. The next big project is to add more connectors, more product add-ons for email integration, web integration, and so on -- to make it easier for our customers to use VMRay to reach deeper into the enterprise and to make the product fit seamlessly into the modern porous, perimeterless nature of the enterprise. This isn't about the core technology; this is a challenge about wrapping those pieces around and extending the core technology into the enterprise infrastructure.

Related: Evasive Malware Now a Commodity 

Related: A Glimpse at the Latest Sandbox Evasion Techniques 

Related: Sandboxes are "Typed": It's Time to Innovate to Defeat Advanced Malware 

Related: Dell Unveils Solution to Detect Evasive Malware

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.