How Parallel Lives Converged to Create VMRay
In hindsight, it looks like Carsten Willems and Ralf Hund, the co-founders of VMRay, were destined to follow the same path for an extended period in their lives. Since first meeting in 2007, they have studied alongside each other, collaborated on groundbreaking research, started a company (VMRay), based in their native Germany, and built it into a leader in the field of malware analysis and threat detection.
Foreshadowing What was to Come
By their own admission, Carsten and Ralf are very different in temperament. Carsten’s outgoing personality and optimism are well matched to his role as CEO. Those traits complement Ralf’s more introverted and skeptical nature, which serve him well as the CTO. However, says Ralf, they are similar in many ways: their pragmatism, their technological orientation and their early trajectory in life.
Before they were even in their teens, both showed an intense interest in computers. Carsten got his start on the Commodore VC-20, an 8-bit forerunner of the legendary Commodore 64. Reflecting their 7-year age difference, Ralf’s first desktop was an early IBM PC. Foreshadowing their academic and professional lives, both experimented with primitive but essentially innocent hacking methods. Carsten recalls writing code with the goal of breaking into friends’ computers. (Pre-Internet, his homegrown software was spread via floppy disks.) Ralf tried his hand at reverse engineering software to understand the inner workings of proprietary programs.
Ralf, who was self-taught, describes himself as “always programming” during his teenage years. And starting at 16, Carsten paid his own way by working for a commercial software company. Both eventually gravitated toward the nascent field of IT security.
Meeting on a Mountain
With a chuckle, Carsten recalls their first meeting “on a big mountain” in Lucerne, Switzerland. “We were attending the same security conference, and Ralf was very sick that day, so he didn’t talk much. But he told me about a sandbox he had developed, and I could tell it was an awesome piece of work.”
They stayed in touch and, within a couple of years found themselves on the same track academically. Both were drawn to pursue a doctoral degree at Ruhr-University Bochum, Germany under the mentorship of Professor Thorsten Holz, whose specialty was the emerging field of dynamic binary analysis. (Professor Holz is now Chairman of Systems Security at Ruhr-University Bochum)
From Research Innovations to Commercial Products
As an outgrowth of their studies, both Carsten and Ralf developed software that found its way into academic and commercial products. Ralf wrote a sandbox for Windows Mobile (Microsoft’s mobile operating system at the time) which was used in academia. It allowed individuals to submit a Windows Mobile app for analysis and obtain a report on the actions performed by the program. He also contributed to the Anubis sandbox, which is still commonly used in academic settings.
As part of his diploma thesis, Carsten developed a malware detection sandbox, which evolved into a product called CWSandbox, an early entry in the market. Invited to Las Vegas to present his thesis, he established a relationship with Sunbelt Software, which ended up distributing the product worldwide and acquiring the source code.
The Origins of VMRay
Over the course of four years, Carsten and Ralf worked together in the areas of malware analysis, vulnerability research and hardware hacking. In 2013, toward the end of their studies, they jointly published a paper that set the stage for the founding of VMRay. The paper addressed the shortcomings of existing malware sandbox technologies. As Ralf explains, “Early sandbox products relied on simulators and emulation to ‘detonate’ or allow the execution of suspicious or known malicious files inside a virtual machine while monitoring the resulting behavior. These methods were very slow and not scalable. In contrast, later commercial offerings used hooking techniques, which were faster but easier for attackers to evade.”
The paper described a groundbreaking approach-based on contemporary hardware virtualization-that eliminated these inherent flaws. “An agentless hypervisor is at the core of VMRay Analyzer, making it both fast and scalable,” says Carsten. “Equally important, VMRay Analyzer is very difficult for malware to evade, since the software being analyzed cannot detect that it’s running within a sandbox.”
Staying Close to Home
In founding their new company, Carsten and Ralf decided to stay in Bochum. The city is part of the Ruhr region, which has a population of 5 million and a constellation of large universities, including two that offer advanced study in cybersecurity. Bochum is also more affordable for young professionals than trendy metro areas like Berlin and Munich. “As a technology-based business, we need access to a highly educated workforce,” says Ralf. “Bochum has a lot of characteristics that help us attract and keep top talent.”
As they went through the growing pains of attracting investors, creating a company from scratch and transforming an academic prototype into an MVP (Minimum Viable Product), the partners attracted substantial resources from government grants, university support and by winning a major technology prize. Ralf says, “In the beginning, we were only two people, and so much needed to be done. So there was a lot of uncertainty. Then, about two years ago we had a meeting with all the employees, and there were so many people they couldn’t all fit in the room. That was the first time I thought ‘This is really going to be big.'”
Reflecting on VMRay’s future direction, Carsten says, “Our goal is not to try to be all things to all people and be a mass market solution. We’ll continue to focus on providing the best sandboxing technology in the world to people and organizations that need the best solution for analyzing malware.”
As part of that focus, he notes, VMRay is building OEM partnerships with companies that want to incorporate VMRay’s hypervisor-based technology into full-blown protection solutions. On a final note, Carsten says, “Customers and partners often tell us, ‘When it comes to the core functionality of a sandbox, analyzing malware, you’re by far the best.’ And we plan to keep it that way.”