There is a massive vulnerability being exploited with ESXI hosts, we recommend that you either disable the CIM SLP Service via the SSH shell, or you take the following steps within the ESXI gui. Once disabled via the shell you will see the service is grayed out, see below.

Instructions to Fix with SSH Access

login via ssh and run the following commands $ /etc/init.d/slpd stop $ esxcli network firewall ruleset set -r CIMSLP -e 0 $ chkconfig slpd off Verify it has been disabled using the following command $ esxcli system slp stats get

Instructions to fix with GUI Access

login to your ESXi host, go to networking and then to the Firewall rules tab right-click the following service, and disable ESXI CIM SLP Fix  

ESXi Ransomeware Images & Research

These are screens we have acquired from machines we are helping fix, for education purposes only

Ransomware VMDK encrypted

This is what the datastore directory will look like, none of the files will register as VM’s Ransomware SSH Shell Screen  

Ransomeware Host Web Login Screen

  For assistance decrypting these machines and securely hosting them please contact us or visit the link below for information about decrypting them https://www.bleepingcomputer.com/forums/t/782193/esxi-ransomware-help-and-support-topic-esxiargs-args-extension/page-5#entry5470396