'Sorry' ransomware
Novel ransomware deploying Go-based Linux encryptors on compromised cPanel hosts since early 2026.
Last refreshed: 8 May 2026 · Appears in 1 active topic
How many hosting providers were hit by 'Sorry' ransomware during the cPanel zero-day window?
Timeline for 'Sorry' ransomware
Deployed a Go-language Linux encryptor on cPanel hosts compromised via CVE-2026-41940
Cybersecurity: Threats and Defences: cPanel zero-day ran 65 days before patch; Sorry ransomware active- What is 'Sorry' ransomware and how does it work?
- 'Sorry' ransomware deploys Go-language Linux encryptors on web-hosting servers compromised via the cPanel CVE-2026-41940 vulnerability. The group exploited a 65-day zero-day window before a patch was available.Source: WatchTowr Labs / CISA
- Which websites are at risk from the cPanel 'Sorry' ransomware attack?
- Any website hosted on a shared-hosting server running an unpatched version of cPanel & WHM is potentially at risk. Rapid7 identified approximately 1.5 million cPanel instances exposed to the internet.Source: Rapid7
- Why do ransomware groups use Go-language encryptors?
- Go compiles easily to multiple platforms and produces self-contained binaries with few dependencies. This makes them harder to reverse-engineer and faster to deploy across different operating systems.
Background
'Sorry' ransomware is a newly observed ransomware operation first identified actively deploying Go-language Linux encryptors on web-hosting servers compromised through CVE-2026-41940, a critical CRLF injection flaw in cPanel's login daemon. The group was active on hosts exposed during the 65-day zero-day window that ran from 23 February to 28 April 2026, when WebPros shipped an emergency patch.
The group targets shared-hosting infrastructure, making cPanel's dominant market position particularly advantageous as an attack surface. Go-based encryptors are increasingly preferred by ransomware operators because they compile easily to multiple platforms (Windows, Linux, macOS) and produce binaries with few dependencies, complicating reverse engineering. The choice of Linux encryptors reflects a deliberate focus on server-side infrastructure rather than endpoint workstations.
Little is publicly known about the group's structure, affiliation, or ransom demands. The name 'Sorry' appears in ransom notes or malware artefacts but the group has not established a public leak site as of May 2026. Its emergence during an unpatched zero-day window suggests either direct knowledge of the vulnerability ahead of public disclosure or rapid exploitation immediately following CVE publication.