CipherCue monitors, normalises, and cross-references public cyber incident data from external sources, including ransomware leak-site claims, regulatory breach filings, vulnerability disclosures, and listed-company incident reports. The ransomware claim stream, sourced from public threat actor leak sites, is the largest by volume.
In 2025, that stream recorded 7,760 claims, up from 5,939 in 2024. That is a year-over-year increase of 30.7%.
In Gartner's July 2025 spending forecast, worldwide information security end-user spending rose from $193.4 billion in 2024 to $213.0 billion in 2025, growth of about 10.1%.
These are different measurements. Leak-site claims are public posts by ransomware groups naming alleged victims. They are not confirmed breaches. Gartner's figure is a worldwide spending estimate across all security categories, not a direct measure of ransomware response. But the directional comparison is worth making: in 2025, the volume of tracked ransomware claims grew about three times as fast as aggregate security spending.
That supports a narrower conclusion than the usual headline. It does not prove that every category of cyber attack is outpacing every security budget, and it does not tell you whether any individual organisation's spending was effective. What it does show is that the observable volume of ransomware activity continued to accelerate faster than the industry's published spending trajectory.
The growth gap in one chart
2025 was a record year
| Metric | 2024 | 2025 | 2026 (partial) |
|---|---|---|---|
| Ransomware claims tracked | 5,939 | 7,760 | 660 to mid-April |
| Distinct groups observed | 116 | 136 | 48 to mid-April |
| Worldwide security spend (Gartner) | $193.4bn | $213.0bn | $239.8bn forecast |
CipherCue's tracked ransomware claim data runs from 2020 to the present. Within that window, 2025 recorded the highest full-year total: 1,821 more claims than 2024, from 20 additional distinct groups.
As of mid-April 2026, the same sources show 660 claims from 48 groups. That is a live count, not a full-year projection.
268 to 7,760 in five years
CipherCue has tracked ransomware leak-site claims from external sources since 2020. The year-over-year growth rate is decelerating, but every year has set a new record.
| Year | Claims | YoY growth |
|---|---|---|
| 2020 | 268 | - |
| 2021 | 1,816 | +577.6% |
| 2022 | 3,157 | +73.8% |
| 2023 | 4,394 | +39.2% |
| 2024 | 5,939 | +35.2% |
| 2025 | 7,760 | +30.7% |
The percentage growth rate is slowing, but the absolute increase per year is still climbing: +1,341 in 2022, +1,237 in 2023, +1,545 in 2024, +1,821 in 2025. Every year added more claims than the previous one in raw terms.
Month by month: 2025 vs 2024
2025 exceeded 2024 in 10 of 12 months. February 2025 was the single highest month tracked at 1,050 claims, more than double February 2024.
The early-2025 surge was concentrated in January and February. Q1 2025 totalled 2,418 claims versus 1,234 in Q1 2024, nearly double. The mid-year period from May to September ran closer to 2024 levels, before Q4 climbed again to 2,243.
136 groups, but the top ten did most of the work
CipherCue tracked claims from 136 distinct groups in 2025. Group names reflect source labels from leak-site monitoring and may include aliases that have not been fully deduplicated.
| Group | 2025 claims | Share |
|---|---|---|
| Qilin | 1,007 | 13.0% |
| Akira | 729 | 9.4% |
| Clop | 518 | 6.7% |
| Play | 390 | 5.0% |
| INC Ransom | 369 | 4.8% |
| SafePay | 365 | 4.7% |
| Lynx | 240 | 3.1% |
| DragonForce | 221 | 2.8% |
| RansomHub | 218 | 2.8% |
| Sinobi | 187 | 2.4% |
| All other groups (126) | 3,516 | 45.3% |
The top five groups accounted for 3,013 claims, or 38.8% of the year's total. The top ten produced 4,244 (54.7%). The remaining 126 groups generated 3,516 claims between them. Nearly half the volume comes from outside the top ten, suggesting a broad and fragmented threat landscape rather than a consolidating one.
Other sources tracked by CipherCue point in the same direction
Ransomware leak-site claims are the highest-volume signal CipherCue tracks, but the platform also monitors regulatory breach filings, vulnerability catalogues, and listed-company incident disclosures from independent public sources. These are not directly comparable, as each source has different reporting thresholds, coverage windows, and definitions. They do, however, provide directional context.
| Source | 2024 | 2025 | 2026 (partial) |
|---|---|---|---|
| Ransomware claims | 5,939 | 7,760 | 660 |
| HHS OCR breach filings (US healthcare) | 164 | 517 | 101 |
| CISA KEV entries (exploited vulnerabilities) | 186 | 245 | 75 |
| HIBP verified breaches | 82 | 58 | - |
| SEC 8-K Item 1.05 filings | 14 | 4 | 2 |
| ICO enforcement actions (UK) | 39 | 28 | 13 |
HHS OCR breach filings jumped from 164 in 2024 to 517 in 2025, the largest year-over-year increase of any source tracked. CISA's Known Exploited Vulnerabilities catalogue added 245 entries in 2025, up from 186 in 2024. These are independent signals that reported incidents and exploited attack surface continued to expand through 2025.
The SEC 8-K Item 1.05 count fell from 14 filings in 2024 to 4 in 2025. That likely reflects the small sample and the high materiality threshold for securities disclosure, not a decline in incidents. CipherCue also tracks 49 UK listed-company cyber incident disclosures across 35 entities, though that source does not yet extend into 2026.
What the comparison actually shows
Ransomware claim volume, as tracked from public leak-site sources, grew about three times as fast as worldwide security spending in 2025. That is a directional finding, not proof of universal underinvestment.
These are fundamentally different measures. One counts public threat actor postings from monitored sources. The other estimates global end-user spending across all security categories. But directional comparisons like this are how budget conversations start: if the observable threat is growing at 30% and the budget is growing at 10%, the gap compounds every year it persists.
This analysis does not measure confirmed breaches, insurance losses, or whether any individual organisation's spending was effective. It measures what is visible in the public record.
Method note
Ransomware claim data: Sourced from public ransomware leak-site monitoring, ingested and normalised by CipherCue. The tracked dataset contains 23,994 records from 2020 through mid-April 2026. Year totals are based on the recorded date of each claim. Group counts reflect distinct source labels and may include aliases that have not been fully normalised. Claim counts represent threat actor postings, not confirmed breaches.
Additional sources tracked: HHS OCR Breach Portal (787 records tracked), CISA Known Exploited Vulnerabilities (1,559 records), HIBP verified breaches (696 records), ICO enforcement actions (175 records), SEC EDGAR 8-K Item 1.05 filings (21 filings from 18 entities), UK listed-company cyber disclosures (49 disclosures from 35 entities). Each source has different reporting thresholds and coverage periods. These are cited for directional consistency, not direct comparison.
Security spending data: Gartner press release, 29 July 2025: Gartner Forecasts Worldwide End-User Spending on Information Security to Total $213 Billion in 2025. Published totals: $193.408 billion (2024), $213.025 billion (2025), $239.759 billion (2026 forecast). The 10.1% growth rate used in this article is calculated from those published figures. Gartner breaks the total into three segments: Security Services ($83.8bn in 2025), Security Software ($105.9bn), and Network Security ($23.3bn).
Important caveats: This article compares one public spending forecast with one tracked threat-claim dataset. It does not measure confirmed incidents, insurance losses, or internal budget allocation by sector. Ransomware claims are not the same as breaches. Gartner spending figures are forward-looking estimates. The 2026 figures shown are partial-year snapshots.
Get this data for your watchlist
CipherCue tracks ransomware claims, regulatory breach filings, vulnerability disclosures, and listed-company incident reports across thousands of entities. To apply this analysis to a specific portfolio, sector, or company watchlist, request a demo.