Yes, the test was done online. It has to be, as quite a few of the included ransomware needed to talk to their C2 server to actually perform any encryption. That being said, the cloud has no influence on the detection. It just makes decisions for you. When you perform the same test with cloud protection disabled, you will get these alerts:
Ransomware
I stopped after a single alert, but most of these ransomware will trigger a whole bunch of them. For example, those are all the alerts that running TeslaCrypt would produce:
TeslaCrypt Alerts
Clicking on quarantine on any of them, would have prevented encryption.