Ransomware Claims Grew Three Times Faster Than Security Spending in 2025, CipherCue Data Shows

April 14, 2026
aisecurityprivacybusiness
A chaotic office desk with a laptop, scattered papers, sticky notes, and a potted plant.
Photo by Tara Winstead on Pexels

Quick take

It has been reported that CipherCue tracked 7,760 ransomware leak‑site claims in 2025, up from 5,939 in 2024 — a 30.7% rise. By contrast, Gartner says worldwide information‑security spending climbed from $193.4 billion to $213.0 billion over the same period, about 10.1% growth. In short: observable ransomware activity accelerated roughly three times faster than aggregate security budgets. Alarming? You bet.

The numbers behind the headline

CipherCue’s stream is drawn from public threat‑actor leak sites and other external incident data; those posts name alleged victims and are not confirmed breaches, so caveats apply. Still, the trend is hard to ignore: claims have ballooned from 268 in 2020 to 7,760 in 2025. Percentage growth is decelerating, yes, but absolute additions keep climbing — 1,821 more claims in 2025 than in 2024, the largest raw increase on record.

Who’s doing the most damage — and when

It has been reported that 136 distinct groups were observed in 2025, with the top ten responsible for 54.7% of claims. Qilin alone allegedly posted 1,007 claims (13% of the year), followed by Akira, Clop and others. Month‑by‑month, 2025 beat 2024 in 10 of 12 months; February was a standout with 1,050 claims — more than double February 2024. A frantic sprint early in the year, a quieter midseason, and a Q4 reprise. Familiar pattern? Unfortunately, yes.

What it means — and what it doesn’t

This is not a smoking gun that security budgets are pointless. These are different measures: leak‑site posts versus broad spending across many categories. What it does show is an uncomfortable gap — ransomware activity rising faster than the industry’s published spend trajectory. The takeaway for CISOs and boards: more money alone won’t win the arms race. Spend smarter, measure better, and stop treating noise for intelligence. After all, in cybersecurity the devil’s in the details — not the headline.

Sources: ciphercue.com, Hacker News