Sorry ransomware exploits cPanel authentication bypass

An emerging ransomware group dubbed "Sorry" is actively exploiting CVE-2026-41940 — a CRLF injection vulnerability in certain cPanel/WHM builds — to create pre-auth session file entries that allow authentication bypass to root. After gaining privileged access, the threat deploys a Golang Linux encryptor that appends ".sorry" to files, uses three layers of encryption (AES-GCM, per-session RSA keys, and an embedded public key), attempts SSH propagation via credential stuffing, terminates database and related services, and directs victims to negotiate via a TOX ID; IOCs include IP 68.183.190.253, marker files, and a TOX identifier.