Share
## https://sploitus.com/exploit?id=5594483C-6BE4-5815-989A-419B36AC3894
# Sorry Ransomware Analysis (CVE-2026-41940 cPanel Campaign)
Public IOC pack, YARA rules, forensic scripts and analysis methodology for the
**"Sorry" ransomware** (`.sorry` extension) family that emerged in late April 2026,
spread via the cPanel/WHM authentication bypass **CVE-2026-41940**.
> โ ๏ธ Files encrypted by this ransomware are **NOT decryptable** without the
> attacker's RSA-2048 private key. Do not pay. Patch cPanel, rotate all
> credentials, and preserve the encrypted files in case a free decryptor is
> released later.
๐ Full technical write-up (Turkish): _link to be added once published_
## What's in this repo
| Path | Purpose |
|---|---|
| `docs/IOC.md` | All indicators of compromise (encrypted-file, network, host) |
| `docs/analysis_methodology.md` | How the analysis was done โ fully reproducible |
| `yara/sorry_ransomware.yar` | YARA rules for encrypted files and ransom notes |
| `iocs/hashes.txt` | Campaign-wide and structural-prefix hashes |
| `iocs/network.txt` | Tox ID, CVE info, network IOCs |
| `iocs/file_signatures.txt` | Encrypted-file structural signatures |
| `scripts/analyze.py` | Per-sample entropy / structure analysis |
| `scripts/header_parse.py` | Parse the 2057-byte fixed header |
| `scripts/keystream_test.py` | ChaCha20 keystream-reuse / known-plaintext test |
| `scripts/server_collection.sh` | Read-only forensic artefact collector for compromised cPanel hosts |
## Quick facts
- **CVE:** CVE-2026-41940 (cPanel/WHM CRLF auth bypass, CVSS 9.8)
- **Encryptor:** Linux ELF, written in Go
- **Cipher:** ChaCha20 (per-file unique nonce) + RSA-2048 key wrapping
- **Extension:** `.sorry` appended to original filename
- **Ransom note:** `README.md` in every encrypted directory
- **Negotiation:** Tox only, single campaign-wide ID
- **Compromised IPs:** 44,000+ (Shadowserver)
## Encrypted-file structure
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Offset 0x000 - 0x808 (2057 bytes) FIXED PREFIX โ
โ โข Magic: 99 00 00 08 00 21 CA 68 0C BD 7F 19 ... โ
โ โข RSA-2048 wrapped per-victim master key + metadata โ
โ โข Tail marker @ 0x800: F4 0B 00 B4 27 00 00 01 00 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Offset 0x809 - (EOF-4) CIPHERTEXT โ
โ โข ChaCha20 stream-encrypted original data โ
โ โข Length is NOT 16-aligned (mod16 โ {2,4,8,13}) โ
โ โข Shannon entropy ~7.95 bits/byte โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Last 4 bytes: 00 00 00 00 STATIC FOOTER โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
## Usage
```bash
# Scan a directory with the YARA rule
yara -r yara/sorry_ransomware.yar /path/to/scan
# Run analysis on local samples
python3 scripts/analyze.py /path/to/sample.sorry
# Collect forensic artefacts from a compromised cPanel host (read-only)
bash scripts/server_collection.sh
```
## Decryptability
**No.** We tested for every common implementation flaw:
| Test | Result |
|---|---|
| Pairwise ciphertext-XOR (keystream/nonce reuse) | โ no reuse |
| Known-plaintext keystream recovery โ cross-file decrypt | โ failed |
| Embedded plaintext key / weak-RNG marker in header | โ none found |
| Padding oracle | โ N/A (stream cipher) |
The cipher is correctly implemented. Only the operator's RSA-2048 private key
can decrypt these files. Monitor [NoMoreRansom](https://www.nomoreransom.org/)
and [ID-Ransomware](https://id-ransomware.malwarehunterteam.com/) in case law
enforcement seizes the operator's key.
## Responsible-disclosure note
This repository contains:
- Static-analysis IOCs derived from in-the-wild encrypted samples (anonymized)
- Defensive YARA detection rules
- Read-only forensic collection scripts
It does **not** contain:
- The ransomware binary
- Exploitation tooling for CVE-2026-41940
- Decryption code (the cipher is correctly implemented)
## License
- Code: [MIT](LICENSE)
- Documentation: [CC BY 4.0](docs/LICENSE)
## Contributing
PRs welcome โ see [CONTRIBUTING.md](CONTRIBUTING.md).
## References
- [BleepingComputer โ Critical cPanel flaw mass-exploited in "Sorry" ransomware attacks](https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/)
- [NVD โ CVE-2026-41940](https://nvd.nist.gov/vuln/detail/CVE-2026-41940)
- [Rapid7 โ ETR: cPanel & WHM Authentication Bypass](https://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass/)
- [watchTowr Labs โ The Internet Is Falling Down](https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/)
- [CISA KEV โ CVE-2026-41940](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940)
- [Public PoC โ ynsmroztas/cPanelSniper](https://github.com/ynsmroztas/cPanelSniper)