Can you explain in simple terms how the Ragnar Locker gang used the virtual machine to deploy the ransomware executable?

​This is the first time we have seen virtual machines used for ransomware. The Ragnar Locker gang embedded the ransomware executable on the virtual disk image (VDI) of the virtual machine (VM). The ransomware executable is not sent into the network and is not run on the physical endpoint, but runs solely in the virtual machine.

On the physical machine, the actions by the ransomware in the virtual machine are tunnelled and performed by a well-known and normally trusted process. A tell-tale sign is high CPU usage by a single process and the mass writing into existing documents and other files. The best tool to defend against this type of attack is with a security tool (anti-ransomware) that is specifically designed to detect the unusual mass file writes via behavioural monitoring with a zero-trust attitude.

As well as being a new technique, what is so threatening about this method of attack?

Source Article