While this is a pretty cool abuse of the Windows APIs, it seems to me from a first reading that it's not very "dangerous" compared to existing techniques for malware and ransomware to hide their activity. While the user imitating technique seems to have succeeded against typical anti-ransomware methods in a wide slate of antivirus products, these products already fail to detect and stop most actual ransomware in the wild. This is just another way to get around antivirus, and definitely one of the more complicated ones. And the user-imitating technique doesn't help against more advanced antivirus and EDR that analyzes the process tree and would immediately flag the wacky stuff they're doing with cmd.exe.
