Malware Sandboxing Firm VMRay Raises $10 Million


The $10 million B funding round under Digital+ Partners has closed in Bochum, Germany-based VMRay, bringing the complete amount raised so far to just under $14 million. The cash will be used in marketing and research and development. R&D is based in Germany, while the entire customer operation runs from Boston, Mass. VMRay concentrates on identifying malware that could be missing from other defenses. This is done through a dynamic sandbox analysis which can not be detected with the malware it analyzes.

Although Carsten Willems and Ralf Hund established the company in 2016, its birth continues. Chad Loeven, current VP for sales and marketing, told that more than a dozen years ago Willems approached him with the brief to market the master’s thesis job. The outcome resulted in the world’s first commercial sandbox, even before FireEye. This was commonly marketed to government and three-letter organizations from 2006 to 2010. But it was not good enough— the malware it sought to analyze could be detected.

Willems returned to college to work on the weaknesses he perceived. Ralf Hund created an alternative sandbox strategy, called Anubis, which has been excluded from Vienna University and commercialized by LastLine, but both methods have weaknesses. Together, the third strategy resulted to the creation of VMRay in 2016 and to the return of Loeven.

The new VMRay sandbox, explains Loeven, “is an agentless hypervisor strategy building a stronger matrix. There is no agent Smith identified by malware from the Keanu Reeves. The malware does precisely what it is meant to do and is fully confident that it is in its target setting.”

To put this in context, if the examined file is a Brazilian banking trojan, the sandbox will give it what it wants — a Brazilian IP and Portuguese language settings. It can do so because it is situated at the entrance and is not restricted by desktop restrictions. “While it continues to operate, VMRay returns the exact answer that the malware is looking for, it can be analyzed for bad behavior, which ultimately adds behaviour, to a verdict,” Loeven explains.

The product has three components:

  • A reputation engine which filters out known bad files in milliseconds and a static analyzer for appliances,
  • URLs and potentially malicious components.

Both parts are equivalent to conventional anti-virus defenses.

However, the third element is

  • The sandbox for dynamic analysis.

“The USP or value proposition,” said Loeven, “is that VMRay not only detects the 99.5% of the malware that is detected by all other AV vendors, but also half the% that is missing. This probably doesn’t matters to larger firms and consumers, but we’re not selling it to those markets.This gap is crucial— that 0.5% remains undetected— and is a huge gap if it’s targeting significant organisations directly: defense contractors, public departments, finance, Fortune 500 and so forth. Big organized crime gonds and government-sponsored performers are prepared to take the time in order to understand how unknown malware can detect other sandboxes can compromise these objectives.

“Andy Pendergast, Product Manager for ThreatConnect, says,’ but instead they are equipping their teams with the sophisticated instruments that they need. This, in particular, is what VMRay’s platform allows us to do, providing our clients the critical visibility and intelligence needed to protect their network from the late threats of tomorrow. We are doubling our reach into the safety ecosystem with this fresh round.

The next great initiative is the addition of additional connectors, additional products to email integration, internet integration etc, so our clients can easily use VMRay to deepen their business and fit the product perfectly into the contemporary porous, perimeterless nature of the company. It’s not key technology; it’s a challenge to wrap these parts and extend the key technology into company infrastructure.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.