Genshin Impact anti-cheat file is abused to mass deploy ransomware and kill antivirus processes

Genshin Impact has had various updates throughout its life, adding new characters, story expansions, and other features to the title. Today’s report, however, has a much more negative connotation when it comes to the game’s anti-cheat feature – it goes on to explain how this feature is being abused as well.

When it comes to anti-cheat systems, you may have heard of popular systems like EasyAntiCheat and BattlEye. Genshin Impact has an entirely unique anti-cheat file called mhyprot2.sys, which miHoYo originally added to the game to prevent cheating. Towards the end of July 2022, in a TrendMicro reportsome security teams realized that the game would have much bigger issues involving this same file.

That said, the anti-cheat for Genshin works like a device driver and has kernel-level permission on your computer. Luckily, this file would be abused to bypass various protections, ultimately killing endpoint protection processes. It also gets deeper; Due to the ease with which it is possible to encounter driver bypass versatility, among other issues, organizations should be very careful with their systems and check to see if this file is on their system.

Then, the infected version of this anti-cheat would come with a kill.svc file, which installs the service and runs fake AVG antivirus, dumping various files as ransomware. This ransomware would also stop various other anti-virus compounds that would normally protect users (illustrated by a proof of concept provided by a user to TrendMicro, which stopped 360 Total Security).

The ransomware payload also starts encrypting files and rendering them unusable, and can also be deployed to other computers through a PsExec process. What is potentially more dangerous about this is that, theoretically, if this ransomware ended up in an office building with its own domain, no computer in that building would be safe if the files were in that domain.

Now, it’s an ongoing issue that has plagued Hoyoverse’s game for quite some time. As seen previously, mhyprot2.sys was used to distribute DLLs before. It doesn’t appear that Hoyoverse cares or knows how to fix this issue, given that it has been reported to them, but it has not been acknowledged as a vulnerability.

Of course, this also means that a fix for this problem has not been provided. However, it should be noted that in the future, if you are While using Genshin Impact, be very careful about the files you download and be sure to check your computer’s event logs for service installations. Either that or play the game through GeForce NOW, I guess. We will continue to update as more information is released on the Genshin Impact ransomware situation.