Doommageddon is a ransomware and data-extortion threat actor publicly associated with attacks against organizations in multiple countries and sectors, including healthcare, financial services, business services, and consumer services in the United States, Brazil, and Paraguay. Reported victim postings indicate the group operates a leak-and-pressure model typical of modern ransomware crews, publicly naming targets and tracking incident states such as upcoming disclosure, negotiation, and leaked outcomes. Observed activity attributed to Doommageddon is consistent with financially motivated ransomware operations centered on extortion following compromise and alleged data theft. Public victim notices suggest the group uses staged coercion workflows, including deadlines and negotiation periods, to pressure organizations into payment. The available reporting supports attribution as a ransomware actor, but does not provide high-confidence evidence on its malware lineage, initial access methods, technical intrusion tradecraft, organizational structure, or any state sponsorship. No widely established aliases or confirmed sub-groups are currently available. Based on currently available information, Doommageddon should be tracked as an emerging ransomware extortion group with opportunistic targeting across diverse industries rather than a narrowly focused sector-specific actor.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting a ransomware attack against a healthcare organization.
Conducting a ransomware attack resulting in leaked data against Francisco Imóveis in Brazil.
Conducting a ransomware attack against Solventa & Riskmetrica | Calificadora de Riesgos, a financial services organization in Paraguay.
Conducting a ransomware attack against PAID, a U.S.-based organization in the business services sector.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.