MacKeeper is an invasive RansomeWare

[dy-scamed]

I was invaded on my Mac running Catalina 10.15.5 by MacKeeper. Everyone thinks it's just a virus scanner app that has bad code but the company is worse than what it appears. I will attach some files that they took over to take full control of my Mac and wanted 200 to go on it with their techs and "clean" the viruses and malware that I had. When I told them no I got the full brunt of their invasion. They quickly ran a js file that installed their ransomware before I could disconnect my mac from the internet completely. I then spent a day tracking all the files and broke them into readable code so I could see what it was doing. Here was my first clue that I wasn't getting my Mac system drive back. This is from the System/Driverkit/Runtime/.../kernal/.../info.plist: 

Note that it changed the package type to 'FMWK' and the signature is '????'. I went looking for files installed by FMWK and found it had rewritten the code in my grammar checker for chrome to include thousands of lines of code. It took over root and all the groups. It added it's own acct and changed the root/admin password so I couldn't undo their program or kill it. It had a line of code in it that basiclly said, "if any of my files are changed or missing to add them back right away." I did try a lot of deephack moves on their code but it would just put itself back. It added hundreds of files in all different types such as js, php, xml, css, de, oss, json, h, c, html, intime, py, ssh, and more. They wrote files into the usr/local/opt, opt/x11/bin, lib/ext, lib/apple, sys/vol/data and added a burred directory called /zz/. They captured my fingerprint reader because I have all my passwords in a safe. This they used to control what I could get to and do. They added com.apple.lockoutagent and webpack bootstrap so neither I nor Apple support could use the system recovery section to rewrite the system.  The grammar file base app was called Grammerly_popupeditor-denali.js. so I took it that they were from India. And I could go on for a long while about the code I found in these files but I couldn't do anything about it. I finally gave into the fact that they had won the battle and I totally cleaned the system drive and wiped my Mac til I knew it was clean. Then I used an external boot drive to reinstall the system. It's a good thing they couldn't get to my apple id password or my icloud id because they trashed my TimeMachine backup drive too and made it a mess. I had a couple of long days and nights breaking down what they had done and to what extent then reinstalling my system. I'm writing this account of their activities so other will be ware and maybe someone higher than me (Apple) will put them on the blacklist. Yes I did have Norton installed and it would have stopped them but they thought of everything and erased the main .exe file before they installed all this mess. Of course I could not reinstall it or any other app too. There are names for people like this that I won't say. I just hope someone shuts them down before we loose a government computer or something else important. It has taught me a valuable lesson in cybersecurity and that is to do better at it.  They will get theirs someday. I found them out and so will others. Please put them on the blacklist Apple.

[dy-scamed]

By the way I decided not to post any of their files so no one will accidently run one and get hacked.

 

[treed]

Can you provide more information about how you got in touch with the folks who took control of your computer? Do you recall what phone number you called, and where you found that phone number?