
'Sorry' ransomware
Novel ransomware deploying Go-based Linux encryptors on compromised cPanel hosts since early 2026.
Last refreshed: 8 May 2026 · Appears in 1 active topic
How many hosting providers were hit by 'Sorry' ransomware during the cPanel zero-day window?
Timeline for 'Sorry' ransomware
Deployed a Go-language Linux encryptor on cPanel hosts compromised via CVE-2026-41940
Cybersecurity: Threats and Defences: cPanel zero-day ran 65 days before patch; Sorry ransomware activeWhat is 'Sorry' ransomware and how does it work?
Which websites are at risk from the cPanel 'Sorry' ransomware attack?
Why do ransomware groups use Go-language encryptors?
Background
'Sorry' ransomware is a newly observed ransomware operation first identified actively deploying Go-language Linux encryptors on web-hosting servers compromised through CVE-2026-41940, a critical CRLF injection flaw in cPanel's login daemon. The group was active on hosts exposed during the 65-day zero-day window that ran from 23 February to 28 April 2026, when WebPros shipped an emergency patch.
The group targets shared-hosting infrastructure, making cPanel's dominant market position particularly advantageous as an attack surface. Go-based encryptors are increasingly preferred by ransomware operators because they compile easily to multiple platforms (Windows, Linux, macOS) and produce binaries with few dependencies, complicating reverse engineering. The choice of Linux encryptors reflects a deliberate focus on server-side infrastructure rather than endpoint workstations.
Little is publicly known about the group's structure, affiliation, or ransom demands. The name 'Sorry' appears in ransom notes or malware artefacts but the group has not established a public leak site as of May 2026. Its emergence during an unpatched zero-day window suggests either direct knowledge of the vulnerability ahead of public disclosure or rapid exploitation immediately following CVE publication.