I like this method, I think we could improve it by switching it to a tightly compiled Linux distro.
A smaller footprint should help make it more difficult to detect running in the background.
You could build a tiny distro specifically for the VM, including only absolutely the modules necessary to operate, nothing more, nothing less. Heavily reducing the ram and storage footprint, thus less obvious.
Because we're stimulating hardware in a VM, that should be dead simple. Stick the ability to mount NTFS and FAT32 in there, and we're good to go.
Although, it may be worth seeing if we can use an existing hypervisor on the system, dumping a new one just for the ransomware seems pointless when one already exists.
A hidden VM configuration on an existing hypervisor would work a treat, and would probably remain unnoticed while it performs it's task, or longer if we also siphoned some user data for ourselves.
Ofc, if not available dump our own legit-looking hypervisor instead.
The advantage is, if it was done so that the virus code and os are linux based, it would be more difficult for your average Windows AV to pickup.
That said, viruses and ransomware are bad. Don't do it. I'm not endorsing this behaviour in any way. Simply some random ideas.