Recent reporting, including coverage from BleepingComputer, has highlighted a surge in attacks tied to “Sorry ransomware” following the exploitation of a critical cPanel and WHM vulnerability (CVE-2026-41940). While the ransomware itself is not new, the way it is being deployed has made it a serious risk for organizations running exposed cPanel environments.
Sorry ransomware has historically been considered a low-tier or commodity strain, often reused or modified from publicly available code. On its own, it does not stand out among more sophisticated ransomware families. What has changed is its delivery method. Attackers are exploiting a vulnerability that allows authentication bypass in cPanel, giving them direct administrative access to servers without valid credentials. Once inside, they can execute commands, deploy payloads, and encrypt data across websites and backend systems.
This campaign is notable because it shifts the focus away from the ransomware itself and toward the vulnerability enabling access. cPanel is widely used across shared hosting environments, managed service providers, and enterprise web infrastructure, which means a single flaw can expose a large number of systems at once. In the cases observed so far, attackers are scanning for vulnerable instances, gaining access quickly, and deploying ransomware with little delay. The speed between initial access and encryption leaves limited time for detection or response.
DigitalMint has responded to multiple incidents associated with this activity. In those cases, in order to decrypt, it was a 2 step process with the threat actor. This unfortunately opened up the opportunity for re-extortion events. Another red-flag we warned regarding potential re-extortion was the relatively low demand made by this threat actor. From our Threat Actor Negotiation Team:
“This TA reminds us of classic lone wolf TA’s using the Phobos or Dharma ransomware packets. Low demands, communication over email, and having to pay twice.”
While negotiation did result in lower initial payments, clients have not moved forward with second payments at the time of this article.
Organizations running cPanel or WHM should treat this vulnerability as an immediate priority. Systems that were exposed to the internet and not patched during the active exploitation window should be reviewed carefully. Even in the absence of obvious indicators, it is reasonable to assume potential compromise and investigate accordingly. Signs of intrusion may include unexpected administrative users, unfamiliar file modifications, or the presence of ransomware artifacts.
The broader takeaway is straightforward. Attackers do not need advanced ransomware to cause damage if they can gain reliable, scalable access to systems. Vulnerabilities in widely deployed infrastructure software provide that access. When exploitation can be automated, even basic ransomware becomes effective at scale. This is why rapid patching, restricted access to administrative interfaces, and strong authentication controls remain essential.
For organizations that rely on cPanel, the priority is to apply updates immediately, limit exposure of management interfaces, and validate the integrity of systems that may have been accessible during the exploitation period. This includes reviewing logs, verifying user accounts, and ensuring that no unauthorized changes have been made.
Sorry ransomware is not significant because of its technical sophistication. It is significant because it demonstrates how quickly attackers can take advantage of a critical vulnerability and turn it into a widespread ransomware campaign. Organizations that focus on reducing exposure and responding quickly to newly disclosed vulnerabilities will be in a much stronger position to prevent this type of incident.
DigitalMint continues to monitor this activity and support affected organizations. Additional insights and findings from active cases can be incorporated here to provide further detail on attacker behavior, recovery timelines, and defensive recommendations.