No, it's not possible to recover the private RSA key; not with a timing attack, not with a debugger, not with any technical means. There isn't enough information on the victim's computer.
The timing attack you describe requires timing the decryption operation, which could reveal the decryption key. But the malware isn't ever decrypting anything, it's just encrypting the victim's data. The malware doesn't even have the decryption key until after you pay the ransom.
All a timing attack could tell you about RSA keys during encryption is the encryption key, but that's just the public key that your machine's virus retrieves from their server. The whole point of asymmetric encryption security is to separate encryption secrets from decryption secrets.
EDIT
I reread your question more carefully, and I now understand that you're asking if it's possible to attack the criminal's server, not the client-side malware. Yes, servers can obviously be attacked. And yes, side-channel attacks are one of the many potential tools that could be used to attack it. But the thief doesn't operate just one server, he's operating a large farm of them; the client-side malware simply keeps testing for servers until it finds one that responds. In order to recover your own data, you would need to identify the correct server containing your key, hack into it, and exfiltrate all the data from it before he wipes all the stored private keys (either in response to the attack or because you didn't pay him in time.) Even if such an attack was successful, it will do little to help with future attacks as each private key is reportedly generated on request.
