Ransomware abuses Genshin Impact's kernel mode anti-cheat to bypass antivirus protection

Some code in purple and white whooshing away from the screen. A genshin impact emoticon with the character Paimon being surprised by the wooshing is in the corner.
(Image credit: Negative Space edited by Jon Bolding)

Update: HoYoVerse PR sent PC Gamer this statement: "The HoYoverse team takes information security very seriously. We're currently working on this case, and will find a solution as soon as possible to safeguard players' safety and stop potential abuse of the anti-cheat function. We will keep you posted once we have further progress."

Original Story: Security skeptics and advocates have worried for some time now that exploits able to take advantage of anti-cheat kernel-mode drivers could wreak serious havoc on PC security. Now it seems to have happened: The anti-cheat driver used by Genshin Impact, the popular free-to-play RPG, has been abused by a ransomware actor to stop antivirus processes and enable the mass deployment of their ransomware.

A new whitepaper published August 24th to Trend Micro explains how the perfectly legitimate driver mhyprot2.sys was used, absent any other parts of Genshin Impact, to gain root access to a system. 

"Security teams and defenders should note that mhyprot2.sys can be integrated into any malware," wrote authors Ryan Soliven and Hitomi Kimura. 

"Genshin Impact does not need to be installed on a victim’s device for this to work; the use of this driver is independent of the game."

Kernel-mode drivers are at the very core of your computer's system. At the risk of gross oversimplification, software at the kernel level generally has more control over your PC than you do. Genshin Impact's anti-cheat was previously under scrutiny for continuing to run—at the kernel level—even after you closed the game. Developer HoYoVerse, then known as MiHoYo, later changed that.

The paper is clear that this is a severe security breach of the entire Windows operating environment. It notes that the driver module "cannot be erased once distributed" and isn't inherently malicious—simply an abusable piece of otherwise-legitimate software. 

"This module is very easy to obtain and will be available to everyone until it is erased from existence," the paper states. "It could remain for a long time as a useful utility for bypassing privileges. Certificate revocation and antivirus detection might help to discourage the abuse, but there are no solutions at this time because it is a legitimate module."

This is hardly the first time that kernel level anti-cheat has been a security concern for the games industry. A double whammy hit in May 2020 when both Riot Games' Valorant and Doom Eternal released with kernel mode anti-cheat. At the time, Riot noted that plenty of other kernel-level anti-cheat software already existed—although not to the extent of Riot's Vanguard software, which begins when Windows boots up. 

But kernel level anti-cheat technology is generally effective, and for some gamers who are sick of dealing with cheaters, that makes the risk worthwhile. By the end of last year, for instance, Call of Duty players were unhappy enough with cheaters that some welcomed Activision Blizzard having access to every bit of memory on their entire PC.

No matter the history and now-widespread usage, this kind of abuse is exactly what those who feared the spread of kernel-mode anti-cheat were warning of. If a vulnerability has been found, what follows could be significantly worse than vulnerabilities in normal, user-level anti-cheat software. I've reached out to MiHoYo for comment on the report, and will update if I receive a reply.

Jon Bolding is a games writer and critic with an extensive background in strategy games. When he's not on his PC, he can be found playing every tabletop game under the sun.