On April 27, 2026, a ransomware written in Golang was submitted to VirusTotal that appended the '.sorry' string to the encrypted filenames. Upon initial review, this was not the same as the 2018 Sorry ransomware, which was built using the open-source HiddenTear encryptor. This was novel, and that submission is the first-ever appearance of the Sorry Worm ransomware in the wild.

The very next day, cPanel released a Security Update addressing a new critical vulnerability that affected almost all versions of cPanel and WebHost Manager/WordPress Squared, which allowed remote code execution if unpatched and exploited. Over the next few days, they provided updates, articles, detection scripts, and patches for immediate remediation. However, on April 29, two days after the Sorry Worm appeared and a day after cPanel's update, watchTowr Labs published an extensive report (The Internet Is Falling Down, Falling Down, Falling Down) walking through the software's affected components, vulnerability anatomy, and exploit details. If you wanted a quick overview of this cPanel vulnerability, cPanel's Security Update and watchTowr's report are more than sufficient. More information exists on the official CVE page: CVE-2026-41940.

The relationship between the Sorry Worm and CVE-2026-41940 is that the Sorry Worm automatically exploits the vulnerability, encrypts files, and propagates across networks, all in a single package. To better understand how the Sorry Worm works, independent threat researcher(s) from OHIIHO Research produced a three-part, detailed breakdown on how they discovered the ransomware-worm hybrid (part 1), the malware's internals (part 2), and similar campaigns and how to defend against these threats (part 3). According to the researcher(s), they discovered the worm by monitoring open-source sandboxes such as VirusTotal and Hatching Triage. They quickly learned that the same malware appeared on other networks several hours after the initial infection, and they also highlighted a bundled SSH-bruteforcing backdoor toolkit embedded within it. Additionally, a Marai-like SSH scanner kit was included in the file analysis. All three of these behaviors are indicative of worm-like activity.

Thus, we have a novel ransomware written in Golang that can encrypt files (using AES+RSA), append the '.sorry' extension, exploit a critical vulnerability affecting a large number of web servers, and worm through networks by brute-forcing SSH relays, all in one package. Since these affect web servers, we were able to search for possible victims of this attack using a few open-source methods, primarily by googling the Tox ID in the ransom note (literally) and using Shodan/Censys to do the same. The ransom notes and victims listed in the entry are from those efforts.

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/sorry-worm