In a recent post from Sonicwall, one security expert describes how he negotiated with Ransomware operator.
The SonicWall Capture Labs Threat Research Team has conducted an experimental dialog with a ransomware operator using the PayDay ransomware trojan. PayDay, is a recent variant of the BTCWare ransomware trojan and has been in the wild for a few weeks. PayDay follows the current ransomware operator trend of using email to communicate with their victims in order to demand payment for file decryption. Payment has increased to an astronomical 0.5 Bitcoins (roughly $8000 USD at today's prices). In this case however, the price could be negotiated lower.
Further in the story the scammer got scammed-
The operator begins to show signs of impatience and offers additional help in my request to (obviously not) pay him via PayPal:
We make a brash attempt to obtain an IP address associated with the operator by causing him to visit a webserver under our control:
Moments later access logs reveal a visit from an IP address located in the Czech Republic. After perhaps realizing his mistake, there were subsequent visits from IP addresses located in multiple countries around the world.
Read the full story here https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=1106