More than 40,000 servers have been compromised in an ongoing exploitation campaign targeting CVE-2026-41940, a critical authentication-bypass vulnerability in cPanel & WebHost Manager (WHM). The Shadowserver Foundation reported the massive breach affecting the popular server management platform used by hosting providers worldwide.
The vulnerability, disclosed on April 28, 2026, allows unauthenticated attackers to gain administrative access to cPanel systems by exploiting special characters in authorization headers. Attackers can write parameters to session files and trigger reloads to authenticate using injected administrative credentials, giving them complete control over host systems, databases, and websites.
Exploitation Timeline and Scale
Security researchers believe CVE-2026-41940 was exploited as a zero-day since late February 2026, months before its public disclosure. Activity spiked dramatically after the vulnerability became public and threat intelligence firm WatchTowr published technical exploitation details.
Rapid7 warned that approximately 1.5 million cPanel instances remain accessible from the internet, making them potential targets for ongoing attacks. The Shadowserver Foundation initially observed 44,000 unique IP addresses conducting scanning and exploitation attempts against their honeypot sensors.
By May 3, 2026, the number of actively compromised systems had dropped significantly, though tens of thousands remain affected. The United States hosts the majority of compromised systems, followed by France and the Netherlands.
https://x.com/Shadowserver/status/2050208472386396568
Healthcare Sector Under Siege
The healthcare industry continues facing severe ransomware attacks, with South Carolina’s Sandhills Medical Foundation disclosing a breach affecting nearly 170,000 individuals. According to Sandhills Medical’s security notice, the organization discovered a ransomware attack on May 8, 2025, but only publicly disclosed the incident nearly one year later.
The Inc Ransom group listed Sandhills Medical on its leak website in early June 2025 and has since made stolen files available for download. Compromised data includes names, dates of birth, Social Security numbers, driver’s licenses, government-issued identification, passports, financial information, and personal health records.
This attack follows a pattern of healthcare organizations becoming prime targets for ransomware groups due to their critical operations and sensitive data holdings.
Ransomware Gang Member Sentenced
Federal authorities secured a significant conviction against Karakurt ransomware operations with the 8.5-year prison sentence of Deniss Zolotarjovs, a 35-year-old Latvian national. Court documents show Zolotarjovs served as a negotiator for the group between June 2021 and March 2023.
During his tenure, Karakurt attacked at least 53 entities, causing $56 million in total losses. Zolotarjovs received 10% of negotiated ransom payments in cryptocurrency, which he laundered through multiple wallets before converting to Russian rubles. In one documented case, he recommended publishing pediatric patient data online when a healthcare company delayed payment.
Karakurt, associated with the infamous Conti group and operating under aliases including TommyLeaks and Schoolboys Ransomware Gang, targeted organizations across multiple industries to steal personally identifiable information and extort payments.
Ransomware Groups Turn on Each Other
An unusual development emerged when two newer ransomware-as-a-service operations, 0APT and KryBit, began attacking each other’s infrastructure. Halcyon Ransomware Research Center documented the feud, which exposed operational data and infrastructure details typically hidden from security researchers.
0APT initially emerged in late January 2026 with nearly 200 claimed victims, though researchers assessed the list as fabricated due to lack of evidence. After months of inactivity, 0APT reemerged in mid-April claiming attacks against established ransomware operators including KryBit, Everest, and RansomHouse.
KryBit launched in late March 2026, offering ransomware-as-a-service kits targeting Windows, Linux, ESXi, and network-attached storage devices using an 80/20 affiliate payment model. The group published 10 legitimate victims within its first two weeks of operation.
Vect 2.0 Ransomware Flaw Creates Accidental Wiper
A critical design flaw in Vect 2.0 ransomware transforms the malware into an accidental wiper for files larger than 128KB. Check Point Software discovered that the ransomware permanently destroys large files instead of encrypting them, making recovery impossible even with payment.
The flaw affects Vect’s ChaCha20-IETF encryption scheme across Windows, Linux, and VMware ESXi variants. For files above 131,072 bytes, the malware encrypts four independent chunks using four randomly generated nonces but only saves the final nonce to disk. Without the first three nonces, the respective chunks cannot be decrypted.
This defect essentially makes Vect 2.0 a wiper for “virtually any file containing meaningful data, enterprise assets such as VM disks, databases, documents and backups,” according to Check Point’s analysis. The ransomware has been deployed against victims of TeamPCP supply chain attacks.
What This Means
The cPanel vulnerability represents a massive attack surface with 1.5 million potentially vulnerable instances worldwide. The healthcare sector’s continued targeting demonstrates ransomware groups’ focus on critical infrastructure where organizations face pressure to pay quickly. Meanwhile, the Karakurt conviction shows law enforcement’s growing success in prosecuting ransomware operators, particularly negotiators who handle victim communications.
The feuding between 0APT and KryBit provides rare intelligence into ransomware operations, while the Vect 2.0 flaw highlights how technical errors can make ransomware even more destructive than intended. Organizations should prioritize patching cPanel installations immediately and implement robust backup strategies that account for both encryption and data destruction scenarios.
FAQ
How can organizations protect against the cPanel vulnerability?
Update to patched cPanel versions immediately: 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, or 11.130.0.19. Follow cPanel’s official instructions for identifying potential compromises and implement network segmentation to limit exposure.
Why are healthcare organizations frequently targeted by ransomware?
Healthcare providers store valuable personal and medical data, operate critical systems that create pressure for quick payment, and often have weaker cybersecurity infrastructure compared to financial institutions. The sector’s life-or-death operations make downtime extremely costly.
What should organizations do if hit by Vect 2.0 ransomware?
Do not pay the ransom, as files larger than 128KB cannot be recovered due to the encryption flaw. Focus on restoring from clean backups and implementing incident response procedures. The malware effectively functions as a wiper, making payment pointless for most meaningful data.
Related news
Sources
- Sandhills Medical Says Ransomware Breach Affects 170,000 – SecurityWeek
- Karakurt Ransomware Negotiator Sentenced to Prison – SecurityWeek
- Feuding Ransomware Groups Leak Each Other’s Data – Dark Reading
- Over 40,000 Servers Compromised in Ongoing cPanel Exploitation – SecurityWeek
- Vect 2.0 Ransomware Acts as Wiper, Thanks to Design Error – Dark Reading
