English
中文
Deutsch
HomeArticle

Starting from a high school club, three post-2000 geniuses developed a "vaccine" for network ransomware, helping enterprises "snatch" data from hackers | Underwater project

杨越欣(杨桃)2026-03-25 09:54
The entrepreneurial journey starting from the technological ideal in adolescence

"Your files have been encrypted. Pay the ransom within 72 hours, or the data will be permanently destroyed." - This is a typical scenario of cyber extortion that many people have encountered.

Cyber extortion is a common cybercrime. Hackers implant ransomware into the computer systems of enterprises or individuals, making it impossible for them to open or run normally, and then extort ransoms. According to the Orange Cyberdefense report, cyber extortion crimes have been growing explosively globally. Since 2020, the number of victims has tripled, and more than 19,000 organizations have been affected.

As one of the earliest domestic companies specializing in cyber extortion defense, "Sierting" is currently one of the few companies globally with in - depth emergency prevention and control capabilities for ransomware. Sierting was founded in 2022. Through self - developed core technologies such as key capture and AI large - model adversarial training, it provides anti - extortion services such as emergency response, traceability analysis, and data recovery to attacked users.

The real starting point of Sierting can be traced back to the computer room of a high school in Karamay, Xinjiang in 2015. At that time, He Ying, who was only 15 years old, and her classmate Alizhati Helili (hereinafter referred to as "Ali"), also a computer genius, founded the "Thirteen - year" cyber security club here. They participated in many cyber security competitions, which attracted the attention of the local government and cyber security companies. Later, He Ying, the founder of Sierting, was specially invited by many companies to be a cyber security engineer and led the team to assist domestic security agencies in combating more than a hundred cyber security crimes.

Ali currently serves as the CTO of Sierting. He was admitted to the cyber security junior class of Sichuan University in his sophomore year of high school and led the research and development of the first "ransomware key capture" technology in the country. Liang Wenhao, the market director, joined the "Thirteen - year" club during his college years. He is a specially invited expert on Central Asian cyber security issues of the "Tree of Shanghai Cooperation". He has many years of experience in cyber security operation and the implementation of cyber security competition projects.

Currently, Sierting's customers cover more than 500 units in more than 20 industries globally, and it has helped customers recover economic losses of more than 100 million yuan in total. After consolidating its domestic cyber security business, Sierting is planning to further expand its overseas market and extend the company's technological advantages to fields such as AI security.

1. Break through the key capture technology and develop a "vaccine" for cyber ransomware

In the past decade, relying on the popularization of Bitcoin, cyber ransomware has rapidly developed from the relatively marginal black areas such as the "dark web" into a transnational black industrial chain, affecting almost all industries such as finance and energy, as well as the digital systems of institutions such as schools, airports, and governments, causing tens of billions of yuan in losses globally every year.

On March 23, 2025, Kuala Lumpur International Airport in Malaysia was attacked by ransomware. The airport's core operating system had large - scale abnormalities and was paralyzed for more than 10 hours, resulting in direct economic losses of more than $5 million, such as flight delay compensation.

The development of AI technology has made ransomware attacks more rampant. The traditional defense method is to perform static matching of viruses with the feature library, which can defend against some known viruses but is helpless against new mutant viruses.

"We are the earliest domestic company specializing in ransomware emergency response and have handled nearly 2,000 real extortion incidents in total," Liang Wenhao introduced. After hackers find security vulnerabilities in an institution's digital system, they generally deliver ransomware to the target system through phishing emails and then use encryption algorithms to lock the system or files, forcing the victim to pay the ransom (usually in Bitcoin) to restore the system to normal.

After long - term research on the ransomware used by hackers, the Sierting team found that no matter how the ransomware mutates, it must call the underlying encryption functions of the operating system and generate or load the keys for file encryption in the memory.

Therefore, just as the antibodies in the human body can recognize and eliminate viruses after vaccination, Ali led the technical team to develop a set of key capture technology. At the moment when the virus calls the system encryption function, it intercepts through HOOK technology and extracts the encryption key being used, thus cracking the virus's encryption algorithm and helping the victimized users restore their data and systems to normal.

Specifically, Sierting will deploy a "vaccine" defense system for the customer's digital system, including terminal monitoring, key capture, cloud analysis, and on - site traceability, and conduct real - time monitoring of the customer's system. Once abnormal behavior is detected, the vaccine system will immediately intercept it. If the interception fails and the ransomware starts the encryption process, the vaccine will crack the virus algorithm through the key capture technology.

After the crisis is resolved, Sierting will conduct source - code - level analysis of the virus captured at the terminal, restore the original code of the virus, and report the threat information to the cloud ransom intelligence platform. Ali said that the original virus samples will also be included in Sierting's own virus library and feature library, providing continuous learning data for the underlying AI large model. "The more customers we serve, the richer the actual combat samples we obtain, which in turn empowers the continuous evolution of the vaccine product."

SAR operation process

On February 21, 2025, Sierting's intelligence monitoring team detected that a customer's sensitive data was being publicly sold in a Telegram black - market group. Subsequently, Sierting launched an emergency response, completed public opinion handling and virus traceability on the same day, removed the backdoors left by hackers, and submitted relevant suspect clues to the regulatory authorities. Three months later, the suspects involved were arrested by the police.

Emergency response process

In Liang Wenhao's view, ransomware defense is an endless war of "the magic is one foot higher as the Tao is one foot taller". In order to enable the company to continuously recruit excellent cyber security talents and promote talent building in the field of information security, the Sierting team has consciously built a professional and scenario - based talent training system since five years ago, launching the "Zhixing" AI cyber security education platform, the "Tianshou" cyber security competition platform, and the "Moyu" offensive and defensive drill platform.

On this basis, Sierting has built the "Youth CTF Platform", a communication and practical drill community for cyber security beginners. Currently, this platform has more than 20,000 registered users, has hosted more than 80 public - welfare CTF competitions for universities, enterprises, and various organizations, and has been used by more than 40 schools. (Note: CTF stands for Capture The Flag, which is a technical competition in the field of cyber security. Participants score by solving various security challenges to obtain a specific - format string Flag.)

2. Build a full - link defense product system with an annual revenue of 20 million yuan

Liang Wenhao said that in recent years, Sierting's business has mainly focused on emergency response and decryption recovery services. "Enterprises often ignore information security risks before being attacked by ransomware. So most of the customers who come to us for the first time have already been extorted and want to recover their losses." In the process of "putting out the fire" for attacked customers, Sierting has gradually established trust and long - term cooperation relationships with customers. After experiencing the losses caused by ransomware attacks, customers' awareness of preventing information security risks will also increase.

From "mending the fold after the sheep is lost" to "taking precautions before it happens", in addition to the "vaccine" product, Sierting has gradually built an integrated product solution for ransomware. "Several bank customers said before that the superior departments required financial institutions to conduct information security capability assessments and asked if we could provide corresponding technical services. So we launched the 'physical examination' evaluation product," Liang Wenhao introduced. The evaluation product uses Sierting's long - term accumulated ransomware sample library to simulate real ransomware attacks in the isolated environment specified by the customer, helping the customer evaluate the actual interception rate, detection ability, and response shortcomings of the existing security products and generate an evaluation report.

In the past, when serving customers, Ali found that some files were damaged during the encryption process by hackers, and the data could not be fully recovered after decryption. "But customers are not virus experts, and it's difficult for us to prove that the data damage was caused by hackers rather than a technical problem in the decryption process itself. Later, in order not to affect the customer experience, we would take the initiative to repair the data for customers after decryption to ensure the final delivery quality."

To ensure the security of customer data, Sierting has established a strict authority grading, process isolation, and operation auditing mechanism internally to avoid single - point personnel having full - link permissions.

In 2025, Sierting's revenue reached 20 million yuan, of which 65% came from emergency response services and 35% from standardized product sales. Liang Wenhao said that since the emergency response solutions are difficult to scale and limited by the number of top - notch talents, Sierting hopes to increase the product revenue ratio from 35% to 70% in the next few years.

To increase the product revenue ratio depends on the enhancement of enterprises' awareness of pre - event prevention. For this reason, Sierting has been continuously publishing popular science videos about cyber ransomware and defense on content platforms such as Douyin and Baidu for long - term market education. "Currently, the short - video platforms have started to help us acquire customers, and the conversion rate is about 20%," Liang Wenhao said.

3. Bet on the overseas market and AI security

Under the general trend of the globalization layout of Chinese enterprises, the information security risks faced by overseas - going enterprises in the overseas market have also increased rapidly. Due to data security compliance requirements, Chinese enterprises often cannot directly cooperate with foreign cyber security companies. In Liang Wenhao's view, this provides a new market opportunity for Sierting to escort the information security of Chinese enterprises going overseas.

Previously, Sierting provided security services for a super - large oil field in Iraq, sending employees to the site for daily monitoring and maintenance. Once a suspected ransomware attack occurred, the on - site team would immediately start emergency disposal, and the domestic technical team would respond remotely and conduct virus traceability analysis at the same time.

In addition to expanding the overseas market, Sierting is also closely monitoring the AI security issues of enterprise information in the era of large models. Especially the rapid popularization of AI agent frameworks such as OpenClaw has posed new challenges to the information security of individuals and institutions.

"The premise of the safe use of AI is data security, and data security is strongly related to anti - ransomware, which is also our strength." Liang Wenhao said that in the current situation where AI is rapidly changing the digital boundaries of enterprises, cyber security is no longer just about single - point vulnerabilities and single - time attacks. Attack methods are evolving at an accelerated pace, data is flowing more frequently, and the risk exposure of enterprises is also constantly expanding. For Sierting, this means that anti - extortion is not just about "restoring after an incident", but rather precipitating the experience accumulated in actual combat into more long - term intelligence capabilities, product capabilities, and systematic protection capabilities.

When we asked Liang Wenhao and Ali why they didn't choose to be hackers but instead chose to start a business with hard work, Liang Wenhao smiled and said, "Almost every customer has asked this question. Although hackers can easily obtain huge profits, it also means living a life in anonymity for a lifetime. The reason why we have come this far together is that we want to use our technical abilities to build a great, long - lasting, and positive company." He said that compared with the label of "genius", they prefer to define themselves as a group of people who have been staying on the front line and constantly dealing with real problems.

After He Ying and Ali showed their computer talents in high school, they quickly received support from the school and the local government. In Ali's view, this support played an important guiding role in their life - direction choices in their teenage years when their worldviews were not yet formed. "It made us know that our abilities are not only for being hackers but also for doing positive and meaningful things for others, and we can gain a greater sense of personal value, which is much more interesting than making money in an unethical way."

In the early stage of Sierting's entrepreneurship, in addition to the bonuses from various information security competitions participated by the founding team, it also received attention and support from the government. In 2022, Sierting received a strategic investment of 5.1 million yuan from Zhengzhong Information, a listed company under the State - owned Assets Supervision and Administration Commission of Shandong Province.

Sierting team

The story of "Thirteen - year" began with the technical ideal in adolescence, and "Sierting" is like the continuation of this ideal today: "We always remind ourselves to remember why we started and always insist on thinking, listening, and solving real problems. In this ever - changing AI era, what we want to do is not just to 'grab back' the data for customers again and again, but to continuously defend the security bottom line in the digital world of more enterprises." Liang Wenhao said.

(Authors: Feng Yaling, Yang Yuexin)

This article is originally produced by杨越欣(杨桃) For reprint or content cooperation, please click Reprint Instructions ;Unauthorized reprint will be held accountable.

The pictures in this article are from采访供图

For media inquiries, interview requests, business collaboration and Recruit global ecological partners, please contact mohaiying@36kr.com.
Partner:startuprad.io

36kr Europe (eu.36kr.com) delivers global business and markets news, data, analysis, and video to the world, dedicated to building value and providing business service for companies’ global expansion.

© 2024 36kr.com. All rights reserved.