It tries to hide itself and cover up its actions. It detects when it is being studied in a virtual sandbox, and so it sits still to evade detection.
“Sandbox traces can not account for the range of behaviors encountered in the wild.” They had found that, as Dumitras expected, traces collected in a sandbox rarely capture the full behavior of malware in the wild. In the case of https://usa.kaspersky.com/resource-center/threats/ransomware-wannacry, for instance, sandbox tracing only caught 18% of all the actions that the randomware attack executed in the wild.