ESXi Can Write Its Logs to a RAM Disk. Ransomware Counts on It
On an ESXi host without persistent scratch, /var/run/log lives on an in-memory ramdisk and evaporates at the next boot. Ransomware crews get the same effect for free — they power off, kill, or reboot the workloads before encrypting — which means your entire forensic timeline had to be forwarded off-box before the incident or it never existed at all.