'Sorry' Ransomware Wave Hits 44,000+ cPanel Servers — Millions of Texas SMBs in the Crosshairs

Published: May 8, 2026

Source: CYFORi Research — Analysis of the cPanel CVE-2026-41940 authentication bypass vulnerability and associated 'Sorry' ransomware mass exploitation campaign.

Key References: Shadowserver Foundation reports, CISA advisories, BleepingComputer, cPanel emergency update documentation.

What Happened

A critical cPanel authentication bypass vulnerability — CVE-2026-41940 — was mass-exploited this week by multiple threat actors, deploying a brand-new ransomware variant called 'Sorry'.

Here's what the vulnerability does:

• cPanel and WHM — the control panels that millions of websites use to manage hosting, email, and databases — had a flaw that let attackers log in without valid credentials
• Once inside, the attackers deployed a Go-based Linux encryptor that hits files with the '.sorry' extension
• The encryption uses ChaCha20 protected by RSA-2048 keys — which means no known decryption exists

Shadowserver reports at least 44,000 IP addresses running cPanel have been compromised. Multiple sources confirm that government and military targets in Southeast Asia were hit alongside MSPs and hosting providers in the U.S., Canada, and South Africa.

This is the story that's going to affect the most Texas SMBs directly. cPanel isn't just for web agencies — it's used by real estate firms with their own websites, local restaurants with online ordering, contractors managing client portals, and anyone running shared hosting for their business.

The Attack Chain — Step by Step

1. Exploit: Attacker sends a crafted request that bypasses cPanel's authentication
2. Access: Full administrative access to the cPanel instance — same as a legitimate admin
3. Payload: A Go-based Linux encryptor is deployed to the server
4. Encryption: Files on the server (and potentially connected network storage) are encrypted with ChaCha20/RSA-2048
5. Extension: Encrypted files get the .sorry extension
6. Ransom note: A ransom note is left on the server demanding payment

Why This Hits Texas SMBs Hard

How many of your business clients use shared hosting? Web design agencies? Real estate firms with their own websites? Local restaurants with online ordering? If they use cPanel — and millions do — they were in the crosshairs.

The attack has only started. Researchers warn that exploitation will increase in the coming days. This isn't a past-event story — it's an active, escalating threat.

What Every Texas SMB Must Do Now

Do This Today

1. Patch immediately: cPanel released an emergency update on April 28. Every cPanel instance must be patched. Period.
2. Inventory cPanel deployments: If you're an MSP managing client hosting, audit every cPanel server under management
3. If you see .sorry files: That's not a data loss event — that's a DFIR engagement. Don't pay. Restore from backup or rebuild.

This Week

1. Verify backup integrity: Confirm your backups are current, tested, and not on the same server as your live data
2. Review access logs: Look for unauthorized cPanel logins in the past week
3. Notify your clients: If you're a web host or MSP, your clients need to know immediately

The Hard Truth About Ransomware

That RSA-2048 key? There's no decryption. No back door. No miracle tool. The only options are restore from backup or rebuild. That's why your backup strategy isn't an IT luxury — it's a business continuity requirement.

If you're running a business and your recovery plan for a ransomware attack is "hope it doesn't happen to me," that's not a plan. That's a gamble — and the house always wins.