Then, the private key of that RSA key is encrypted with a public key embedded in the ransomware. That key is unique to each attack/victim.
I think this is where the confusion arises. That's certainly not what the description on the site that you specify cites:
The encryption is based on two algorithms: RSA and AES. First, an RSA session key pair is generated on the infected workstations. This key pair is encrypted using the embedded attacker's public key and saved on the registry SOFTWARE\LockBit\full.
The "embedded attackers public key" is likely a public key which is owned by the attacker and which is embedded in the software. The private key of that key pair is kept somewhere secure by the attacker.
So I think this is just a misunderstanding really. The software could of course contain a whole host of pre-generated public key, but it makes more sense to generate a key pair locally and then send back the encrypted private session key (whenever the victim decides to pay up).
The disadvantage is - of course - that if the victim can somehow retrieve the private key that all is for naught - in the eyes of the attacker. However, if the key pair can be kept in memory and destroyed directly after key pair generation / encryption then the attacker maintains their advantage.
Now to get your data back the victim or the software sends "their" encrypted private key to the attacker, the attacker can decrypt it and send back the plaintext value.
Note that for RSA the RSA private key can be directly encrypted after generation as you'd only need the public key for encryption. An AES key would need to be present during the encryption operations. So having a separate asymmetric key does make sense to the attacker.
