Sophos writes about quite surprising technique. During the infection, the 122MB "weight" installer is used, containing a 282 MB virtual, all to hide the 49 kB ransomware bin.
DISCLAIMER: The solutions presented on this page are the property of ACME LABS Sp. z o.o. and are subject to legal protection in Poland and abroad, on the basis of intellectual and industrial property rights.