Share
## https://sploitus.com/exploit?id=5594483C-6BE4-5815-989A-419B36AC3894
# Sorry Ransomware Analysis (CVE-2026-41940 cPanel Campaign)

Public IOC pack, YARA rules, forensic scripts and analysis methodology for the
**"Sorry" ransomware** (`.sorry` extension) family that emerged in late April 2026,
spread via the cPanel/WHM authentication bypass **CVE-2026-41940**.

> โš ๏ธ Files encrypted by this ransomware are **NOT decryptable** without the
> attacker's RSA-2048 private key. Do not pay. Patch cPanel, rotate all
> credentials, and preserve the encrypted files in case a free decryptor is
> released later.

๐Ÿ“ Full technical write-up (Turkish): _link to be added once published_

## What's in this repo

| Path | Purpose |
|---|---|
| `docs/IOC.md` | All indicators of compromise (encrypted-file, network, host) |
| `docs/analysis_methodology.md` | How the analysis was done โ€” fully reproducible |
| `yara/sorry_ransomware.yar` | YARA rules for encrypted files and ransom notes |
| `iocs/hashes.txt` | Campaign-wide and structural-prefix hashes |
| `iocs/network.txt` | Tox ID, CVE info, network IOCs |
| `iocs/file_signatures.txt` | Encrypted-file structural signatures |
| `scripts/analyze.py` | Per-sample entropy / structure analysis |
| `scripts/header_parse.py` | Parse the 2057-byte fixed header |
| `scripts/keystream_test.py` | ChaCha20 keystream-reuse / known-plaintext test |
| `scripts/server_collection.sh` | Read-only forensic artefact collector for compromised cPanel hosts |

## Quick facts

- **CVE:** CVE-2026-41940 (cPanel/WHM CRLF auth bypass, CVSS 9.8)
- **Encryptor:** Linux ELF, written in Go
- **Cipher:** ChaCha20 (per-file unique nonce) + RSA-2048 key wrapping
- **Extension:** `.sorry` appended to original filename
- **Ransom note:** `README.md` in every encrypted directory
- **Negotiation:** Tox only, single campaign-wide ID
- **Compromised IPs:** 44,000+ (Shadowserver)

## Encrypted-file structure

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  Offset 0x000 - 0x808  (2057 bytes)  FIXED PREFIX       โ”‚
โ”‚  โ€ข Magic: 99 00 00 08 00 21 CA 68 0C BD 7F 19 ...       โ”‚
โ”‚  โ€ข RSA-2048 wrapped per-victim master key + metadata    โ”‚
โ”‚  โ€ข Tail marker @ 0x800: F4 0B 00 B4 27 00 00 01 00      โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  Offset 0x809 - (EOF-4)              CIPHERTEXT         โ”‚
โ”‚  โ€ข ChaCha20 stream-encrypted original data              โ”‚
โ”‚  โ€ข Length is NOT 16-aligned (mod16 โˆˆ {2,4,8,13})        โ”‚
โ”‚  โ€ข Shannon entropy ~7.95 bits/byte                      โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  Last 4 bytes:  00 00 00 00          STATIC FOOTER      โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

## Usage

```bash
# Scan a directory with the YARA rule
yara -r yara/sorry_ransomware.yar /path/to/scan

# Run analysis on local samples
python3 scripts/analyze.py /path/to/sample.sorry

# Collect forensic artefacts from a compromised cPanel host (read-only)
bash scripts/server_collection.sh
```

## Decryptability

**No.** We tested for every common implementation flaw:

| Test | Result |
|---|---|
| Pairwise ciphertext-XOR (keystream/nonce reuse) | โŒ no reuse |
| Known-plaintext keystream recovery โ†’ cross-file decrypt | โŒ failed |
| Embedded plaintext key / weak-RNG marker in header | โŒ none found |
| Padding oracle | โŒ N/A (stream cipher) |

The cipher is correctly implemented. Only the operator's RSA-2048 private key
can decrypt these files. Monitor [NoMoreRansom](https://www.nomoreransom.org/)
and [ID-Ransomware](https://id-ransomware.malwarehunterteam.com/) in case law
enforcement seizes the operator's key.

## Responsible-disclosure note

This repository contains:
- Static-analysis IOCs derived from in-the-wild encrypted samples (anonymized)
- Defensive YARA detection rules
- Read-only forensic collection scripts

It does **not** contain:
- The ransomware binary
- Exploitation tooling for CVE-2026-41940
- Decryption code (the cipher is correctly implemented)

## License

- Code: [MIT](LICENSE)
- Documentation: [CC BY 4.0](docs/LICENSE)

## Contributing

PRs welcome โ€” see [CONTRIBUTING.md](CONTRIBUTING.md).

## References

- [BleepingComputer โ€” Critical cPanel flaw mass-exploited in "Sorry" ransomware attacks](https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/)
- [NVD โ€” CVE-2026-41940](https://nvd.nist.gov/vuln/detail/CVE-2026-41940)
- [Rapid7 โ€” ETR: cPanel & WHM Authentication Bypass](https://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass/)
- [watchTowr Labs โ€” The Internet Is Falling Down](https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/)
- [CISA KEV โ€” CVE-2026-41940](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940)
- [Public PoC โ€” ynsmroztas/cPanelSniper](https://github.com/ynsmroztas/cPanelSniper)