Ransomware abuses Genshin Impact's kernel mode anti-cheat to bypass antivirus protection

pcgamer.com:

Security skeptics and advocates have worried for some time now that exploits able to take advantage of anti-cheat kernel-mode drivers could wreak serious havoc on PC security. Now it seems to have happened: The anti-cheat driver used by Genshin Impact, the popular free-to-play RPG, has been abused by a ransomware actor to stop antivirus processes and enable the mass deployment of their ransomware.

A new whitepaper published August 24th to Trend Micro(opens in new tab) explains how the perfectly legitimate driver mhyprot2.sys was used, absent any other parts of Genshin Impact, to gain root access to a system. 

«Security teams and defenders should note that mhyprot2.sys can be integrated into any malware,» wrote authors Ryan Soliven and Hitomi Kimura. 

«Genshin Impact does not need to be installed on a victim’s device for this to work; the use of this driver is independent of the game.»

Kernel-mode drivers are at the very core of your computer's system. At the risk of gross oversimplification, software at the kernel level generally has more control over your PC than you do. Genshin Impact's anti-cheat was previously under scrutiny for continuing to run—at the kernel level—even after you closed the game. Developer HoYoVerse, then known as MiHoYo, later changed that.(opens in new tab)

The paper is clear that this is a severe security breach of the entire Windows operating environment. It notes that the driver module «cannot be erased once distributed» and isn't inherently malicious—simply an abusable piece of otherwise-legitimate software. 

«This module is very easy to obtain and will be available to everyone until it is erased from existence,» the paper states. «It could remain for a long time as a useful utility for