Malicious Advertising?
Is there another kind?
Cybercrooks have brewed a strain of ransomware that uses elliptic curve cryptography for file encryption, and Tor for communication. The malware, dubbed OphionLocker, is spreading using a malicious advertising (malvertising) campaign featuring the RIG exploit kit. The ransomware encrypts files of particular types on infected …
Running the program in a VM allows the researcher to observe "from the outside" (i.e. from the hypervisor) what the program is doing, down to one instruction at a time when necessary. On bare metal, the malware will just do its deed without giving the researcher any insight about how it works.
"Running the program in a VM allows the researcher to observe "from the outside""
What does exist in the way of hardware monitoring (for PCs I am assuming)? Back in the day when I did mainframe OS support for ICL VME/K, the development team had hardware monitors they could attach for particularly recalcitrant bugs. Although I will accept that hardware monitoring is likely a lot more expensive than VM monitoring.
What does exist in the way of hardware monitoring
Most virtualized environments these days are hardware-assisted (on mainframe, for a long time; on x86 - for a few years now). Even so it is tricky to hide the fact that a program is running in a VM from that program. It is possible, but in most real-life scenarios it is better to let it know, so the fact is rarely being hidden well enough to fool sufficiently sophisticated malware.
"Im sure the AV researchers have decent budgets for R&D."
You don't need need high end kit to get pwned. Does the ransomware have a minimum hardware spec? There's lots of cheap ex-corporate kit around to build a honey pot. (It might even arrive already loaded with malware.)