Hey everyone, I’m looking for some honest input from people who’ve dealt with something similar.

I had a VPS with HostGator (VPS Premium plan), running cPanel/WHM. A few days ago, the server suddenly became completely unreachable:

• No ping (Destination Host Unreachable)
• No SSH access
• No WHM/cPanel access
• Couldn’t even reboot from the provider panel

Support initially gave generic answers about limited cPanel access due to a vulnerability, but after pushing, they confirmed the server was compromised via CVE-2026-41940 and hit by ransomware. All files were encrypted and they’re recommending a full rebuild.

Current situation

• Server is effectively dead
• No way to decrypt data (as expected)
• They offered to format and rebuild the VPS

What I do have

• Database schema backups
• Partial historical data backups
• Some older dumps (not fully up to date)

What I don’t have

• Recent backups (latest ones were stored on the same server → likely encrypted too)

So I’m probably missing a chunk of data from ~2024–2026.

Questions

1. Has anyone dealt with this specific ransomware strain tied to cPanel recently? Any known decryptors?
2. Is it worth requesting a raw disk snapshot before they wipe it, even if encrypted?
3. Any realistic chance that provider-level snapshots exist in these cases (even if not advertised)?
4. Best approach for partial recovery? (logs, external integrations, etc.)
5. Anything I should absolutely do before allowing them to rebuild?

Notes

• This wasn’t an app-level issue; it was infrastructure-level exploitation.
• I recognize I should have had external/offsite backups — lesson learned the hard way.

Any input from people who’ve gone through similar incidents would be really helpful. I’m mainly trying to figure out if there’s any recovery angle left before I accept full rebuild and data loss.

Thanks.