My guess is that the malware created a self-signed certificate in the certificate store then used the public key to encrypt the content of files in the background.
The public key is written in every file (It is the Unique-ID). The Scammer will send him the Master-Key + the Software that reverse the encryption. The chance to Crack/Brutforce what ever is is almost zero