I once read an article by a guy who did let them into a VM he had. He had been reviewing something and was about to throw away the VM when they called.
Apparently the "tech support" guy upgraded his version of office for him, emptied the trash, and made some performance related registry changes/ improvements. All apparently legit stuff (even if the software was illegal copies). Then asked for "$20" for his work. The author even compared the Office ISO to a known good copy and couldn't find any illegal payload. This was pre-ransomware (or at the very emergence of it)
Many of these virus tools won't run in a VM - they know that the honeypots are all VMs so the software attempts to detect and remain hidden.
My favorite was a video on YouTube. There's a version of Linux that doesn't store files permanently. The video is of the hackers console as they download files and then can't execute them. They unpack a zip file... "ls" and see results. But then attempt to run the utils and they aren't there. So the guy "ls" again - sees empty folder, does a "cd" thinking he unpacked to the wrong folder. Nope. Downloads again. Checks the version of Linux. Tries again. Repeats many times before giving up.