Recently, the hosting community has been in turmoil. Following well-known providers such as CloudCone, HostSlick has now been confirmed as the latest victim of attacks exploiting a vulnerability in the Virtualizor management panel. Multiple users have reported seeing prominent ransomware messages in their VPS VNC consoles, indicating that this wave of attacks targeting virtualization infrastructure is continuing to spread.
Attack Details: Familiar Ransomware Signature
According to the latest report from the LowEndTalk community, the impact on HostSlick closely mirrors previous security incidents. When connecting to their servers via VNC, users no longer see a normal OS login screen, but instead the following message:
“Your files are encrypted, requires payment for decrypting. Contact us: Telegram: @cloudcone_raidbot”
Since this ransom note uses the exact same Telegram contact (@cloudcone_raidbot) seen in the CloudCone incident, it strongly suggests that attackers are leveraging the same Virtualizor vulnerability to conduct widespread lateral exploitation.
Expanding Scope of Impact
Current evidence points to Virtualizor—a virtualization management panel widely used by thousands of VPS providers worldwide. In addition to HostSlick, the following providers have recently been confirmed or suspected of being affected:
- CloudCone
- OuiHeberg
- ColoCrossing
High-risk warning list:
If you are running services with providers that also rely on Virtualizor infrastructure, please remain highly vigilant:
Why Is This Attack So Severe?
Typical hacking incidents usually affect only a single virtual machine (VM), but this attack appears to target the Virtualizor management panel or its API interface directly. This means:
- Host-level compromise: Attackers may have gained control over the host node itself.
- Mass data encryption: Attackers can directly encrypt disk images of all VPS instances on the host, preventing normal data export.
- Lateral movement: Other servers within the same internal network may also be at high risk of compromise.
Emergency Response Guide: What Should You Do Now?
If you are a customer of affected providers, take immediate action:
- Immediate offsite backup: Do not rely solely on snapshots provided by the current provider. Immediately download critical data via FTP/Rsync to a local machine or another provider (e.g., AWS S3, Google Drive).
- Check VNC console: Log into your client panel and open VNC to see whether ransom messages are already displayed.
- Rotate sensitive credentials: Once the environment is confirmed safe, immediately change all SSH keys, database passwords, and API tokens.
- Monitor provider announcements: Follow official Twitter, email, and status pages of HostSlick or related providers for patch updates.
Conclusion
Vulnerabilities in virtualization software often have catastrophic consequences. For users, “don’t put all your eggs in one basket” is no longer a cliché but a survival rule. Regardless of any provider’s claims about infrastructure security, maintaining offline, offsite, and multi-version backups remains the ultimate defense against ransomware.
This article corresponds to the YouTube video:
