Linkedin-in

A note on Ransomware, it’s not the only thing

HancoCyber • Incident Response • cPanel Security

Sorry ransomware: if they can't ransom you, they will hammer You

A reminder for organisations running cPanel and WHM to review exposure, preserve evidence, and respond correctly if compromise is suspected.

For anyone running cPanel or WHM, the update is already available, but some environments may not have automatic updates enabled.

If you have not already reviewed CVE-2026-41940, it is worth checking your exposure and reviewing logs.

In some cases, what initially appears to be a hosting outage or DNS issue can actually be a control panel compromise. The website or host server may appear unreachable, but the root cause may not be the web server itself.

You may also discover files named .sorry or example.com.sorry within affected environments.

⚠ Preserve Evidence First

Before making major changes, take a snapshot of the system and preserve relevant data.

  • Copy access logs
  • Export DNS zones
  • Save account data
  • Preserve authentication logs
  • Collect API token activity
  • Archive WAF and ModSecurity logs
  • Backup named and cPanel configuration files

If you discover .sorry files or ransom notes, focus on evidence preservation and recovery planning rather than reading the note itself.

Investigation Checklist

The following areas are worth reviewing immediately:

  • WHM/cPanel access logs
  • API token creation and usage
  • Unexpected account creation
  • Reseller privilege or ACL changes
  • DNS zone modifications
  • SSH authorized_keys files
  • Root password changes
  • WAF or ModSecurity authentication bypass alerts
  • Zone files that have been modified, renamed or removed

The Key Issue

If you identify evidence of root-level WHM or API abuse, treat the incident as a full server compromise rather than a simple hosting or DNS issue.

Don't Rush To Pay

If ransomware-style artifacts are present, payment should not be the first move.

Speak with your hosting provider, incident response team, cyber insurance contact, legal advisers, or another trusted recovery partner before making any decisions.

Recommended First Actions

  • Isolate access where possible
  • Snapshot and preserve evidence
  • Check for active persistence mechanisms
  • Revoke unknown API tokens
  • Review SSH keys
  • Patch cPanel and WHM immediately
  • Rotate credentials
  • Restore or rebuild from a known-good state if root access was abused

Recovery Considerations

The attack timeline matters. Weekly backups may provide a suitable recovery point, depending on when the compromise occurred.

However, some organisations may find themselves rebuilding DNS zones, restoring databases, or recreating services from scratch.

Most importantly, if root-level compromise occurred, the environment can no longer be assumed trustworthy.

Your investigation may continue for weeks, but your organisation also needs to return to normal operations as quickly and safely as possible.

PATCH ON TIME.
“There's nothing more permanent than a temporary hack.”

— Kyle Simpson

Need Help With Incident Response?

If you suspect cPanel compromise, ransomware activity, DNS tampering, or root-level abuse, HancoCyber can help assess exposure, preserve evidence, and support recovery.

Book a Cyber Security Consultation
Tagged , , , , , , , , , , , , , , , , , , , , , , , , ,