[CiPHPerCoder]

There are 4+N keys involved.

  - The attacker's RSA private key (UNKNOWN)
  - The attacker's RSA public key (KNOWN)
  - The local device's RSA private key (KNOWN, but then poorly wiped)
    - This is encrypted with the attacker's RSA public key
  - The local device's RSA public key (KNOWN)
  - A separate AES key for each file
    - These are encrypted with the local device's RSA public key

How decryption should work: Get the local device's RSA private key from the attacker (EDIT: this is not the attacker's RSA private key, it's the local one), then you can decrypt the AES key for each file.

[uep]

If someone were to pay up and receive the attacker's private key, what's to stop them from distributing it to others?

[equivrel]

That's exactly the trick: the attacker doesn't send you their private key, they decrypt (using their private key) the other private key that the ransomware generated on your machine, which is what was used to encrypt the per-file AES keys.

[chinhodado]

To clarify, the files are encrypted with a symmetric key, which even though is "private", is not part of a public-private key pair in asymmetric crypto.

[knome]

The attacker probably just decrypts your locally generated key. I doubt they send along the master key.