Late last spring the cybercriminals behind the Ragnar Locker ransomware used a virtual machine to evade detection, specifically an Oracle VirtualBox with Window XP inside.
Experts predicted at the time that the evasion technique would likely be adopted by other malware gangs. They were right.
In late September security researchers at Sophos published a report about attackers using the VM technique to attempt to infect computers with the Maze ransomware.
That attack took place in July and involved a full installation of Windows 7, also running inside a VirtualBox.