VECT wipes ESXi VMFS datastores

Ransomware on VMware ESXi is already bad news. But this VECT case is worse in a very specific way — the malware often destroys the data it claims to hold hostage. The immediate issue is ESXi, VMware’s hypervisor, and the VMFS datastores underneath it where virtual machine disks usually live. Check Point’s April 28 analysis says VECT 2.0’s ESXi variant shares a coding flaw with its Windows and Linux versions that makes recovery impossible for many files, even if the attacker wanted to decrypt them. (research.checkpoint.com) ### What is the thing being hit? ESXi is the layer that runs lots of virtual machines on one physical server. VMFS is the datastore format ESXi uses to hold those VMs — their disks, configs, snapshots, and other core assets. So when malware defaults to `/vmfs/volumes`, it is not picking through random files. It is going straight at the (research.checkpoint.com)ugging, service disruption, and log wiping. (research.checkpoint.com) ### Why does the “wiper” label matter? Because normal ransomware, awful as it is, still depends on a bargain. The attacker locks data, then sells decryption. VECT 2.0 breaks that bargain. For files at or above 131,072 bytes, the malware encrypts four chunks but stores only the last nonce needed for decryption. The first three nonces are(research.checkpoint.com) ### Why is 128 KB such a big deal? Because 128 KB is basically nothing in enterprise storage terms. A VM disk, a database file, a document repository, and most backups all blow past that threshold immediately. Check Point’s point is simple — once the cutoff is that low, “large file” really means “almost every meaningful file.” On ESXi, (research.checkpoint.com)ke out a whole stack. (research.checkpoint.com) ### Is this just a bug, or a tactic? Turns out it is both. The destructive behavior comes from a bug, not some elegant new extortion design. But the campaign still shows deliberate tradecraft around virtual infrastructure. VECT emerged as a ransomware-as-a-service operation in late December 2025, added cross-platform lockers, and drew a(research.checkpoint.com)s like Trivy, KICS, LiteLLM, and Telnyx. (research.checkpoint.com) ### Where does vCenter fit in? vCenter is the management plane for vSphere environments. If attackers reach that plane, they can do much more than touch one guest OS — they can see hosts, datastores, and administrative workflows across the environment. Broadcom’s own guidance makes clear that vCenter is central infrastructure and suppor(research.checkpoint.com)e untested, the recovery story gets much worse fast. (knowledge.broadcom.com) ### So what should defenders take from this? First — do not assume paying fixes anything. In this case, the decryptor may be useless for the files that matter most. Second — treat hypervisor and management-plane access as separate crown jewels. Segment ESXi and vCenter administration, restrict who can reach them, and v(knowledge.broadcom.com) ESXi and recommended segmenting management networks and limiting lateral movement. (darkreading.com) ### What is the bottom line? The scary part is not just that VECT is sloppy. It is that sloppy malware aimed at ESXi can still cause top-tier destruction. When the datastore is the target, one coding error turns a ransomware event into an unrecoverable infrastructure wipe. (research.checkpoint.com)