Doommageddon
Doommageddon is a ransomware and data-extortion threat actor publicly associated with leak-site style victim postings and staged disclosure claims.
Profile source: Mallory opens in a new tabDoommageddon
Family profile
Doommageddon is a ransomware and data-extortion threat actor publicly associated with leak-site style victim postings and staged disclosure claims. Reported activity in 2026 links the group to extortion incidents affecting organizations in Brazil, Paraguay, and the United States, including healthcare, financial services, consumer services, and business services entities. Observed victim handling includes marking cases with statuses such as upcoming, leaked, and negotiated, indicating a workflow consistent with double-extortion operations in which data theft and public exposure are used to pressure victims.
The group has been associated with claims of breaching healthcare organizations and threatening phased publication of stolen information. In one reported case, the actor claimed a three-wave release model beginning with medical data and escalating to broader personal, protected health, and database content. This pattern suggests coercive pressure tactics centered on reputational harm, regulatory exposure, and operational disruption rather than purely encryption-led impact.
Known targeting spans multiple sectors, with particular concern for healthcare due to the sensitivity of patient information, but currently available reporting is limited and does not support high-confidence attribution to a nation state or a specific broader ransomware cartel. The alias Doommageddon is the primary known name from current reporting, and no corroborated sub-groups or alternative widely used aliases are presently available. Overall, Doommageddon should be tracked as an emerging criminal ransomware/extortion actor whose observed tradecraft emphasizes public shaming, leak deadlines, and threatened incremental data release.
Ransomware.live
Operational record
Ransomware.live