Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomwareExploits 2 CVEs

Sorry

Sorry ransomware is a ransomware strain observed in active exploitation campaigns against internet-exposed cPanel and WHM infrastructure in 2026. Reporting directly links it to exploitation of the critical cPanel authentication bypass vulnerability CVE-2026-41940 and to exploitation activity involving the LiteSpeed User-End cPanel Plugin privilege-escalation flaw CVE-2026-48172. The campaign is described as vulnerability-driven and focused on shared hosting infrastructure, with rapid post-compromise deployment after access is obtained.

Observed behavior includes encrypting files and appending the ".sorry" extension; specifically noted examples include files such as index.html.sorry, index.php.sorry, and wp-config.php.sorry. Multiple sources state that most vulnerable instances hit in these campaigns were encrypted with the ".sorry" extension, and one report ties the activity to the Sorry/Hidden-Tear family. Censys reported at least two parallel campaigns following cPanel compromise: deployment of a Mirai botnet variant identified as nuclear.x86 and a ransomware campaign associated with Sorry.

The malware has been attributed in the provided content only to unknown or unattributed threat actors. The content states that multiple third parties weaponized CVE-2026-41940 within 24 hours of disclosure, including actors deploying Mirai variants and Sorry ransomware. One report describes the Sorry campaign as operated by an unattributed threat actor and highlights it as evidence of a shift toward large-scale, exploit-led ransomware propagation.

Targeting in the provided reporting centers on cPanel/WHM servers and shared hosting environments. The campaign reportedly affected large numbers of exposed systems: one report states that about 44,000 internet-facing servers were rapidly compromised via CVE-2026-41940, another says roughly 7,000 cPanel servers were affected by the ransomware activity, and Macnica reported that 194 of 1,692 publicly exposed cPanel/WHM servers in Japan were hit with Sorry ransomware. The broader ransomware reporting also notes evidence that Sorry exploited CVE-2026-41940 as a zero-day.

High-confidence indicators and artifacts mentioned in the content are the ransomware name "Sorry" and encrypted files bearing the ".sorry" extension.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES
CVE-2026-41940cPanel & WHM Authentication Bypass via Session-File CRLF InjectionExploited in the wild

Among new threats, instances of Gunra posting “phantom victims” were identified, and evidence was observed of the Sorry ransomware exploiting the cPanel authentication bypass vulnerability CVE-2026-41940.

via ahnlab asec blogasec.ahnlab.com
CVE-2026-48172Privilege Escalation in LiteSpeed User-End cPanel Plugin redisAble FunctionExploited in the wild

CISA has added CVE-2026-48172 to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The flaw is a maximum-severity privilege escalation vulnerability (CVSS v4.0: 10.0) residing in the LiteSpeed User-End cPanel Plugin versions 2.3 through 2.4.4... Active exploitation has been observed deploying Mirai botnet variants and a ransomware strain called “Sorry.” | Active exploitation has been observed deploying Mirai botnet variants and a ransomware strain called “Sorry.”

via cyberthronethecyberthrone.in
MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1078Valid AccountsEvidence2

The root cause is a logic flaw in the plugin’s lsws.redisAble JSON-API endpoint, which is exposed to every logged-in cPanel user by default... Any authenticated cPanel user can exploit this weakness to gain elevated privileges, ultimately achieving full administrative control over the affected server.

T1190Exploit Public-Facing ApplicationEvidence2

Ransomware operations are increasingly exploit-driven, leveraging zero-day and mass vulnerability exploitation for rapid, large-scale initial access.

Execution

2 techniques
T1059Command and Scripting InterpreterEvidence1

There is no race condition to win, nor an authentication gap to bridge — a single malformed API call with the right parameter values is sufficient to escalate to root.

T1203Exploitation for Client ExecutionEvidence1

the disclosure comes days after another critical flaw in the product (CVE-2026-41940) has been weaponized by threat actors as a zero-day to deliver Mirai botnet variants and a ransomware strain called Sorry.

Persistence

1 technique
T1078Valid AccountsEvidence2

The root cause is a logic flaw in the plugin’s lsws.redisAble JSON-API endpoint, which is exposed to every logged-in cPanel user by default... Any authenticated cPanel user can exploit this weakness to gain elevated privileges, ultimately achieving full administrative control over the affected server.

Privilege Escalation

2 techniques
T1068Exploitation for Privilege EscalationEvidence3

The root cause is a logic flaw in the plugin’s lsws.redisAble JSON-API endpoint, which is exposed to every logged-in cPanel user by default. There is no race condition to win, nor an authentication gap to bridge — a single malformed API call with the right parameter values is sufficient to escalate to root. Any authenticated cPanel user can exploit this weakness to gain elevated privileges, ultimately achieving full administrative control over the affected server.

T1078Valid AccountsEvidence2

The root cause is a logic flaw in the plugin’s lsws.redisAble JSON-API endpoint, which is exposed to every logged-in cPanel user by default... Any authenticated cPanel user can exploit this weakness to gain elevated privileges, ultimately achieving full administrative control over the affected server.

Stealth

1 technique
T1078Valid AccountsEvidence2

The root cause is a logic flaw in the plugin’s lsws.redisAble JSON-API endpoint, which is exposed to every logged-in cPanel user by default... Any authenticated cPanel user can exploit this weakness to gain elevated privileges, ultimately achieving full administrative control over the affected server.

Credential Access

1 technique
T1110Brute ForceEvidence1

Per data from the Shadowserver Foundation, at least 44,000 IP addresses likely compromised via CVE-2026-41940 are said to have engaged in scanning and brute-force attacks against its honeypots on April 30, 2026.

Discovery

1 technique
T1046Network Service DiscoveryEvidence1

Per data from the Shadowserver Foundation, at least 44,000 IP addresses likely compromised via CVE-2026-41940 are said to have engaged in scanning ... against its honeypots on April 30, 2026.

Impact

1 technique
T1486Data Encrypted for ImpactEvidence2

Encryption approaches are evolving toward optimized and selective models, including intermittent encryption and experimental cryptographic techniques.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
ahnlab asec blogNews
Jun 18, 2026
May 2026 Threat Trend Report on Ransomware - ASEC

Ransomware observed exploiting a cPanel authentication bypass vulnerability.

Read more
cyberthroneNews
May 28, 2026
CVE-2026-48172 - LiteSpeed User-End cPanel Plugin Privilege Escalation - TheCyberThrone

A ransomware strain observed being deployed in attacks exploiting CVE-2026-48172 against vulnerable LiteSpeed User-End cPanel Plugin versions.

Read more
the hacker newsNews
May 23, 2026
LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root

A ransomware strain deployed by unknown threat actors through exploitation of a critical cPanel vulnerability.

Read more
cyfirma otherNews
May 15, 2026
TRACKING RANSOMWARE : APRIL 2026 - CYFIRMA

Lightweight Linux ransomware used in mass exploitation of internet-facing hosting infrastructure, employing ChaCha20 + RSA-2048 and standardized ransom workflows.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.