Skip to content
Ransomware group

Doommageddon

Doommageddon is a ransomware and data-extortion threat actor publicly associated with leak-site style victim postings and staged disclosure claims.

Profile source: Mallory opens in a new tab

Doommageddon

Family profile

Doommageddon is a ransomware and data-extortion threat actor publicly associated with leak-site style victim postings and staged disclosure claims. Reported activity in 2026 links the group to extortion incidents affecting organizations in Brazil, Paraguay, and the United States, including healthcare, financial services, consumer services, and business services entities. Observed victim handling includes marking cases with statuses such as upcoming, leaked, and negotiated, indicating a workflow consistent with double-extortion operations in which data theft and public exposure are used to pressure victims.

The group has been associated with claims of breaching healthcare organizations and threatening phased publication of stolen information. In one reported case, the actor claimed a three-wave release model beginning with medical data and escalating to broader personal, protected health, and database content. This pattern suggests coercive pressure tactics centered on reputational harm, regulatory exposure, and operational disruption rather than purely encryption-led impact.

Known targeting spans multiple sectors, with particular concern for healthcare due to the sensitivity of patient information, but currently available reporting is limited and does not support high-confidence attribution to a nation state or a specific broader ransomware cartel. The alias Doommageddon is the primary known name from current reporting, and no corroborated sub-groups or alternative widely used aliases are presently available. Overall, Doommageddon should be tracked as an emerging criminal ransomware/extortion actor whose observed tradecraft emphasizes public shaming, leak deadlines, and threatened incremental data release.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Recent claims

All published claims ↗

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.