Tracking the "Sorry" Extortionist Campaign Against cPanel Websites

on

The recent wave of "Sorry" ransomware attacks that are leveraging the critical cPanel/WHM authentication bypass (CVE-2026-41940) has become a case study in how quickly an unpatched vulnerability can be weaponized at scale.

With over 44,000 IPs reportedly compromised, the Bournemouth 2600 group has been digging into the IOCs (Indicators of Compromise) to better understand the scope of this campaign.

During our analysis, we moved beyond just looking at the ransomware payload or attack source IPs and began tracking the unique identifiers left behind by the threat actors in the ransom notes to find compromised sites. 

  • "3D7889AEC00F2325E1A3FBC0ACA4E521670497F11E47FDE13EADE8FED3144B5EB56D6B198724"
  • "bc1q9nh4revv6yqhj2gc5usncrpsfnh7ypwr9h0sp2"

A simple Google Dork search for the ransom note string yields an alarming number of indexed results, demonstrating how quickly these compromised sites are being crawled and cached, effectively broadcasting the victim's misfortune to the world, such as the 'Embassy of Sri Lanka, Saudi Arabia'.

  • https://www.google.com/search?q=%223D7889AEC00F2325E1A3FBC0ACA4E521670497F11E47FDE13EADE8FED3144B5EB56D6B198724%22

We also used Open Port Scan Data indexing site Shodan to find IP addresses with the strings embedded in the HTML:
  • https://www.shodan.io/search?query=http.html%3A3D7889AEC00F2325E1A3FBC0ACA4E521670497F11E47FDE13EADE8FED3144B5EB56D6B198724

And lastly, we used URLscan's ability to query indexed strings from HTML page content to archive infected sites and hunt for more:
  • https://urlscan.io/search/#hash%3Adcc426b80cf8a5ddbb241f5735d02e96bb94e79dc55c15d958a988cfe029b750
  • https://urlscan.io/search/#text.content%3A%223D7889AEC00F2325E1A3FBC0ACA4E521670497F11E47FDE13EADE8FED3144B5EB56D6B198724%22
  • https://urlscan.io/result/019e04a8-7686-74cf-acd5-f4bdb4edbe4c/

  • https://urlscan.io/search/#text.content%3A%22bc1q9nh4revv6yqhj2gc5usncrpsfnh7ypwr9h0sp2%22
  • https://urlscan.io/result/019e0443-930a-757e-8864-4fa2401d022d/

Interestingly, one of the ransom notes mentions users to "tweet
ty15b6TOTuBuzUhfypJeagHl4e2sAs26, then we will help u <3" and therefore, when you pivot to X/Twitter we can see a number of victims actually tweeting this code:
https://x.com/search?q=%20ty15b6TOTuBuzUhfypJeagHl4e2sAs26&src=typed_query&f=live



The fact that victims are being coerced into tweeting specific codes to the attackers (as seen in our X/Twitter pivots) is a particularly cynical evolution. It transforms a private security failure into a public signal for the attackers, allowing them to verify successful infections through open-source social media monitoring.

Meanwhile, the indexability of these ransom notes by Google, Shodan, and URLscan serves as a dual-edged sword: it provides us, as defenders, a clear map of the devastation, but it also creates a permanent public record of the breach for any third party to see.