A widespread ransomware campaign targeting virtual private server (VPS) providers has permanently destroyed customer data across multiple hosting companies, with the attack vector traced to a critical vulnerability in the widely-used Virtualizor management panel.
CloudCone, HostSlick, and OuiHeberg are among confirmed victims, while at least eight other providers using the same infrastructure remain at heightened risk.
CloudCone officially confirmed the grim reality in customer support tickets: user data is unrecoverable. The Los Angeles-based provider is rebuilding affected nodes from scratch rather than attempting data restoration, forcing customers to reinstall systems and rely on their own backups—if they have them. The company's status page shows servers have been offline since January 30, with recovery efforts focused on getting infrastructure operational rather than salvaging existing data.
"An attacker exploited a vulnerability to gain access to our VPS server node," CloudCone's support team wrote in ticket responses shared by affected users. "The attacker has compromised the disk associated with your server, rendering the data on the disk unrecoverable."
The attack methodology reveals sophisticated exploitation of the Virtualizor WHMCS integration plugin.
According to discussions in the LowEndTalk community, attackers leveraged vulnerabilities in how Virtualizor's billing panel plugin communicates with its API, enabling them to execute unauthorised commands across connected virtual machines without triggering standard security alerts like SSH logs.
CloudCone's incident report confirms the intrusion bypassed traditional access controls. "Evidence suggests that this activity originated through management-layer access rather than direct SSH connectivity, which explains the absence of anomalous SSH login records," the company stated, noting that unauthorised scripts were executed on affected nodes through the management interface.
HostSlick reported over 25% of its infrastructure was infected, while security researchers analysing the attack pattern identified Virtualizor's integration with WHMCS (Web Host Manager Complete Solution) as the critical weak point. The vulnerability allows attackers to escalate privileges and gain administrative control over hypervisor nodes, enabling mass encryption of all hosted virtual machines in a single operation.
The broader impact extends beyond confirmed victims. Providers using Virtualizor's WHMCS plugin identified as potentially vulnerable include ColoCloud, Virtono, SolidSEOVPS, Naranjatech, LittleCreek, DediRock, Chunkserv, and RareCloud. Security experts are urging immediate data backups from all customers using these services.
This attack fits a disturbing 2026 trend. Research from Huntress shows hypervisor-targeted ransomware surged from 3% of incidents in early 2025 to 25% in the second half of the year, with virtualisation infrastructure becoming a prime target for threat actors seeking maximum impact with minimal effort. A single compromised hypervisor can encrypt dozens or hundreds of virtual machines simultaneously—exactly what happened to CloudCone's customers.
The timing coincides with increased exploitation of virtualisation platforms globally. Recent campaigns have targeted VMware ESXi vulnerabilities, with threat actors developing sophisticated toolkits that escape VM isolation to compromise host systems. While the CloudCone attack involved different software, the pattern is identical: attackers recognise that hypervisors represent high-value targets where traditional endpoint security tools often have limited visibility.
What Users Should Do Now:
For customers of affected providers: Immediately back up all critical data to external storage. Don't wait for official notifications—security researchers emphasise that affected infrastructure may remain vulnerable even after initial remediation.
For the broader VPS community: Implement automated backup schedules for all hosted applications and databases. Security professionals recommend hourly backups for critical data, with redundant copies stored on separate infrastructure.
CloudCone has not provided a timeline for when rebuilt servers will be available, stating only that affected customers will receive direct email notifications. The company emphasises that customer personal data and billing systems were not compromised—only the virtual machines themselves were affected.
The incident underscores a harsh reality of budget hosting: cheap infrastructure comes with serious risks. But as security experts note, even premium providers face these threats. The difference lies not in price but in preparation—specifically, whether you maintain backups independent of your hosting provider.
As one security researcher bluntly summarised the situation: "Your data is basically cold." For customers without backups, that assessment is devastatingly accurate.
Disclosure: This article covers an ongoing security incident. Readers should verify the current status directly with their service providers.