Following the Colonial Pipeline incident in 2021, Jon Miller and Ryan Smith wondered why, with the widespread adoption of security tools, ransomware was still growing exponentially.
It’s an odd dichotomy. Seventy-eight percent of companies responding to a recent survey said that they plan to increase their investments in cybersecurity in the next 12 months. But at the same time, ransomware damages are expected to exceed $30 billion worldwide in 2023.
Frustrated with the status quo, Miller and Smith — veterans of companies later acquired by Blackberry and Optiv, as well as cyber defense contractor Boldend — founded the cybersecurity startup Halcyon. They claim it can help stop ransomware from causing damage while enabling companies to lower their overall recovery times.
It’s a message that’s seemingly resonating with VCs.
Halcyon today announced that it raised $44 million in a Series A funding round (plus $6 million in debt) led by SYN Ventures and Corner Ventures, with participation from Dell Technologies Capital. The new cash and loan, Miller said, will be put toward bolstering the company’s engineering and R&D departments and strengthening its ongoing sales and marketing outreach.
“We view our product as unique in that we have no direct competitors, and in fact want to improve other security tools in use by our customers,” Miller, who serves as CEO, said. “We assume first that all security layers will fail at some point, including our own. That’s why we have focused on building a product with resilience in mind.”
Miller might assert that Halcyon is without direct competitors. But the cybersecurity space — which has seen funding fall consistently, with dealmaking reaching a two-year low in the most recent fiscal quarter, according to Crunchbase — is overflowing with vendors. The financial crunch threatens to turn up the heat even higher.
But Miller patiently lays out what he sees as Halcyon’s market-beating differentiators.
For one, the platform taps AI to recognize “malicious intent,” trained on a data set of millions of real-world ransomware events. That’s as opposed to the static, rules-based detection schemes that some cybersecurity platforms use, Miller says.
“To build detection engine models, security companies will ingest millions of samples, indicators and artifacts from a variety of sources,” he added. “We have started much more narrowly in order to not pollute our models with data not relevant to ransomware campaigns or broken samples like those commonly pulled from public malware repositories.”
Halcyon attempts to detect and block known bad executables like off-the-shelf commodity ransomware and pass unknown but suspicious executables to additional “protection layers” for further analysis. In addition, the platform attempts to “trick” ransomware into aborting or revealing an attack by exploiting features hardcoded in the ransomware software itself — triggering code via deception techniques.
Halcyon’s other unique component is a “resiliency layer” that kicks in if the platform’s detection and prevent layers fail. As Miller describes it, the resilience layer captures the encryption keys generated during the attack, allowing IT and security teams with a way to automatically decrypt the impacted endpoints — rendering the attack useless.
Typically during a ransomware attack, attackers encrypt various endpoints on a network — for example, laptops — and demand ransom in exchange for decryption. Halcyon’s approach sounds like a clever way to combat this. That’s assuming that it works as well as Miller says, of course.
In any case, Halcyon has attracted considerable interest from investors, having raised a total of $50 million since 2020 inclusive of the Series A. Miller says that business was briefly impacted by the Silicon Valley Bank collapse — Halcyon was a corporate credit card and loan customer with the bank — but that Halcyon has since “diversified its banking relationships” to better manage risk.
With a customer base of around 51 companies, Halcyon plans to grow the size of its workforce from 75 people to around 100 by the end of the year. In terms of product, Miller says that Halcyon will launch a data exfiltration tool to stop the “double extortion” techniques commonly used by ransomware groups today as well as support for additional operating systems including Linux and Mac.
Double extortion attacks usually involve hackers that threaten to encrypt sensitive data and publish it on the dark web or sell it to the highest bidder.
“With the growth of ransomware operations and the economy that supports them, gaining access to credentials and systems is easier and cheaper than ever before,” Miller said. “Products that do not start with an approach that prioritizes resilience will generate more risks to the business and higher cyber insurance premiums which have an impact across all aspects of the organization.”
Miller wouldn’t reveal Halcyon’s revenue when asked, and, when pressed on why the company raised debt, said only that it was for “flexibility” in the near term. But if surveys are anything to go by, demand for Halcyon’s product won’t wane anytime soon — which could be good news for the bottom line.
A survey by CyberCatch found that 75% of companies wouldn’t be able to survive a ransomware attack. Another poll, this by Mimecast, shows that 47% of companies have been successfully attacked by ransomware.
Considering they’re coming from vendors, is there an element of fear-mongering in those numbers? Perhaps. But fear does sell, it’s true.