Haven’t seen it used in ransomware yet; but similarly, the same is possible from WSL. I can run metasploit inside a WSL instance and the security tools on the host are none the wiser. It sucks for power users, but virtualization technologies may start being quashed in a lot of places until the security landscape catches up.