RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: sorry-ransomware (2 articles)Clear
threat
CVE-2026-41940
2026-05-04

cPanel ransomware attackers are now hunting government agencies and the IT companies that manage them

Update on the cPanel ransomware wave covered May 3: attackers have shifted focus and are now targeting governments and managed service providers exploiting CVE-2026-41940. Security Affairs reports the operation is no longer just opportunistic mass-encryption of small business websites - the actors are deliberately looking for hosting accounts owned by government agencies and IT firms that manage downstream customers. CISA added the cPanel flaw to its KEV catalog Friday with a federal patch deadline of May 21. With 44,000 cPanel hosts already compromised in the initial wave, the secondary phase targeting MSPs has the potential to multiply impact through customer-tenant relationships - much like the 2023 Kaseya VSA campaign.

cpanelsorry-ransomwaregovernment-targetingmspfollow-upcisa-kevfederal-deadlinekaseya-comparisonsupply-chain-amplification
Check
Audit /var/cpanel/sessions/raw/ for entries created since February 23, 2026. Search for files with the .sorry extension across hosted sites. Check authentication logs for unusual successful logins between February 23 and April 28.
Affected
Government agencies, MSPs, and hosting companies running unpatched cPanel infrastructure. Particularly acute: MSPs whose cPanel instances host downstream customer accounts - a single compromise spreads to many tenants. Federal agencies under BOD 22-01 must patch by May 21. State and local governments without that mandate face the same active threat without the same enforcement.
Fix
Patch cPanel to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5. Restore from backups predating February 23 rather than just resuming operations. Rotate root, admin, and customer credentials. For MSPs: notify customers proactively before they discover compromise from a ransom note.
threat
CVE-2026-41940
2026-05-02

Hackers are mass-encrypting websites by exploiting last week's cPanel flaw - 44,000 servers compromised so far in 'Sorry' ransomware attacks

Update on the cPanel flaw covered April 30: attackers are now mass-exploiting CVE-2026-41940 to deploy a Linux ransomware called 'Sorry' that encrypts websites and demands payment to unlock them. Shadowserver confirms at least 44,000 cPanel hosts have been compromised, with hundreds of victim sites already showing up in Google search results. The Sorry encryptor is written in Go, uses ChaCha20 with an embedded RSA-2048 public key (so victims cannot recover files without the attacker's private key), and appends '.sorry' to filenames. KnownHost reports the cPanel flaw was being exploited as a zero-day since at least February 23.

cpanelwhmsorry-ransomwaremass-exploitationfollow-upshadowserver44k-compromisedgo-encryptorchacha20
Check
If you run any cPanel or WHM server and have not yet patched, treat the server as already compromised - patch immediately, then start incident response rather than just resuming operations.
Affected
All cPanel and WHM versions before the April 28 emergency patch. ~1.5 million internet-exposed cPanel instances per Shodan, with 44,000 confirmed compromised. Hosting providers, web agencies, e-commerce sites on shared hosting, and any small business website on cPanel are in scope. Anyone whose cPanel was internet-reachable between February 23 and April 28 should assume compromise even if they patched promptly.
Fix
Patch cPanel to a fixed version. After patching, hunt for indicators of compromise (Sorry's '.sorry' file extension, unfamiliar admin sessions, cron entries pointing to /tmp/, modified /var/cpanel/sessions/raw/ files). Restore from clean backups predating February 23 if possible. Block cPanel ports (2082-2087, 2095-2096) at the firewall to non-trusted IPs. Rotate every credential the cPanel host had access to.