I always had thought it wasn't possible, but here it is.
A customer's environment went entirely offline and all VMs were powered off by the reports we were getting. Some started to think it was a SAN issue since it was so massive and didn't spare any VMs.
Then, we saw 200 VMs abruptly shutdown and then all files on the datastore get encrypted (vmdk, vmx, logs, the works). The ransom note was left at datastore level.
The attack was directed, using a RaaS (Ransomware as a Service) code, because all files were encrypted with the company name on the extension of the crypted files. The ransom note also mentions the company name directly.
There was a Windows 2012R2 server outside VMware which seems to be the ground zero. Since it had access to the ESXi management URL, the mess may have started there.
Start locking your ESXi management access guys, things will get rough. this customer didn't segregate ESXi management from the VMs.
EDIT: Post-mortem posted here: