It's probably not advisable to open in VMs anymore there's been a couple that "break out" normally via the network as the host is connected. Can't imagine ransomware is too far away from utilising such a feature to slow down AV vendors testing it.
Most modern Ransomware already has sandbox evasion techniques built in - some of them quite sophisticated.
VirtualBox can be detected by looking at the drivers is uses (McAfee/Intel's sandbox is detected this way).
FireEye sandboxes can be evaded by checking on the number of CPU cores you are running - their appliances use 1 core per VM whereas most laptops have multiple cores, so malware just decided not to run in a single core environment.
Below is an example of activities discovered in a piece of malware that was considered zeroday on Friday just gone:
-----------------------------------------------------------------------------------------------------------------------------------------
Evasion: Potential detection of analysis tools (dbghelp.dll)
Evasion: Potential detection of virtual environment (Sandboxie)
Evasion: Potential detection of virtual environment (Sunbelt)
Evasion: Trying to detect analysis virtual environment (HDD detection)
File: Modifying executable in suspicious location of application data directory
File: Modifying executable in user-shared data directory
File: Searching for files iterating over directories
Packer: Overwriting Image Header (malicious packer)
Search: Enumerates running processes
Search: Enumerating keys related to FTP clients
Search: Retrieving the user account name
Search: Searching for FireFox Security Certificates
Search: Searching for FireFox Security module database
Search: Searching for Firefox Key Database
Steal: Password brute-forcing capabilities
Steal: Potentially malicious application/program (FTP Credentials Stealer)
Steal: Reading FTP client credentials
Steal: Reading browser stored credentials (Internet Explorer)
Steal: Reading browser stored credentials (Opera)
Steal: Reading system license information
Steal: Targeting Mozilla stored passwords
The MD5 of that malware is 0ac902c6c71dd2372ecf6d4b8717c72c for the curious.