Cybersecurity May 4, 2026 · 2 min read

Remember That cPanel Vulnerability? It’s Ransomware Now, and It Says Sorry

🤚 The Open-Palm Reminder

Remember last week, when we told you about that critical cPanel authentication bypass? The one where we said half the internet was quietly screaming? Well, the screaming has gotten significantly louder, because that vulnerability — CVE-2026-41940 — is now being mass-exploited by a ransomware operation that has the audacity to call itself “Sorry.”

The current damage report:

  • 44,000+ cPanel IP addresses compromised, according to Shadowserver
  • Hundreds of encrypted websites now visible in Google search results
  • The vulnerability has been exploited as a zero-day since late February — meaning attackers had a two-month head start before anyone noticed
  • Mass ransomware deployment began this week

👐 The Two-Handed Follow-Up

The “Sorry” ransomware is, technically speaking, disturbingly competent. It’s a Go-based Linux encryptor that uses ChaCha20 stream cipher for file encryption, with RSA-2048 public key protection on the encryption keys. In plain English: once your files are encrypted, they’re gone unless you have the attackers’ private key. Ransomware expert Rivitna confirmed that “decryption is impossible without an RSA-2048 private key.”

Encrypted files get the .sorry extension appended to them. And in each folder, the ransomware thoughtfully drops a README.md ransom note — because apparently even cybercriminals use Markdown now. We’re living in a world where ransomware gangs have better documentation practices than most startups.

The ransom note includes a single Tox ID for contact. No website. No customer support portal. No FAQ section. Just a chat ID and the implication that you should have patched your software.

🌿 The Gentle Awakening

There’s something almost poetic about ransomware that apologizes. “Sorry” — as if encrypting your entire web hosting environment was an accident. As if the attackers tripped and fell into your authentication bypass and their ChaCha20 encryptor just went off. Happens to the best of us.

The real gut punch is the timeline. This vulnerability was being exploited as a zero-day since late February. That’s over two months of quiet, surgical exploitation before the mass campaign began. The attackers weren’t in a rush. They had coffee. They took weekends off. They paced themselves.

👑 The Gold-Leaf Reckoning

cPanel and WHM manage an enormous slice of the world’s web hosting. When cPanel has a critical auth bypass, it’s not a single-company problem — it’s an infrastructure problem. Every shared hosting provider, every budget WordPress site, every small business that trusted their $12/month hosting plan is now in the blast radius.

The emergency security update is available. If you run cPanel or WHM, install it immediately. Not after lunch. Not after standup. Now. The “Sorry” ransomware doesn’t actually feel sorry, and its encryption is mathematically irreversible without paying.

We told you last week. We’re telling you again. The next article in this series will be titled “We Literally Cannot Help You Anymore.”

“The ransomware said ‘Sorry’ and the README was in Markdown. We have reached peak developer culture, and it is encrypted.” — The Slap of Wisdom Incident Response Team, writing this from a server that has been patched, thank you very much