7,760
Ransomware leak-site claims tracked by CipherQ in 2025 rise to 5,939 in 2024
CipherQ monitors, normalizes, and cross-references public cyber incident data from external sources, including ransomware leak-site claims, regulatory violation filings, vulnerability disclosures, and listed-company incident reports. The ransomware claim stream, derived from public threat actor leak sites, is the largest by volume.
In 2025, that stream was recorded 7,760 claimsfrom to 5,939 in 2024. This is a year-on-year increase 30.7%.
End-user spending on information security increased worldwide, in Gartner’s July 2025 spending forecast $193.4 billion in 2024 To $213.0 billion in 2025increase about 10.1%.
These are different measurements. The leak-site claims are public posts by ransomware groups revealing the names of alleged victims. They are not confirming the violations. The Gartner figure is an estimate of worldwide spending across all security categories, not a direct measure of the ransomware response. But the directional comparison is worth making: In 2025, the volume of tracked ransomware claims grew nearly three times faster than total security spending.
It supports a narrower conclusion than the general title. It doesn’t prove that every category of cyberattack is outpacing every security budget, and it doesn’t tell you whether an individual organization’s spending was effective. This suggests that the observable volume of ransomware activity is increasing faster than the industry’s published spending trajectory.
Growth difference in a chart
Ransomware claims tracked
+30.7%
Security Spend (Gartner)
+10.1%
2024
2025 claims
2025 expenses
2025 was a record year
| metric | 2024 | 2025 | 2026 (partial) |
|---|---|---|---|
| Ransomware claims tracked | 5,939 | 7,760 | 660 to mid-April |
| Different groups were observed | 116 | 136 | 48 to mid April |
| Worldwide Security Spending (Gartner) | $193.4 billion | $213.0bn | $239.8 billion forecast |
CipherCue’s tracked ransomware claim data runs from 2020 to present. Within that window, 2025 recorded the highest full-year total: 1,821 more claims than in 2024, from 20 additional specific groups.
As of mid-April 2026, the same sources show 660 claims from 48 groups. This is a live count, not a projection for the entire year.
268 to 7,760 in five years
CipherQ has tracked ransomware leak-site claims from external sources since 2020. The growth rate is decreasing year after year, but every year a new record has been made.
| Year | Claim | year on year increase |
|---|---|---|
| 2020 | 268 | – |
| 2021 | 1,816 | +577.6% |
| 2022 | 3,157 | +73.8% |
| 2023 | 4,394 | +39.2% |
| 2024 | 5,939 | +35.2% |
| 2025 | 7,760 | +30.7% |
The percentage growth rate is slowing, but the absolute growth per year is still increasing: +1,341 in 2022, +1,237 in 2023, +1,545 in 2024, +1,821 in 2025. Each year added more claims in raw terms than the previous one.
Month by month: 2025 vs 2024
2025 exceeded 2024 in 10 out of 12 months. February 2025 was the highest month tracked with 1,050 claims, more than double that of February 2024.
2024
2025
2025 down 2024
The surge in early 2025 was concentrated in January and February. There were a total of 2,418 claims in Q1 2025 while there were 1,234 claims in Q1 2024, which is almost double. The mid-year period from May to September moved closer to the 2024 level, before Q4 climbed again to 2,243.
136 groups, but the top ten did most of the work
CipherCue tracked claims from 136 different groups in 2025. Group names reflect source labels from leak-site monitoring and may include aliases that have not been completely removed.
| Group | 2025 claims | share |
|---|---|---|
| qilin | 1,007 | 13.0% |
| akira | 729 | 9.4% |
| thump | 518 | 6.7% |
| game | 390 | 5.0% |
| inc ransom | 369 | 4.8% |
| secure payment | 365 | 4.7% |
| lynx | 240 | 3.1% |
| Dragon Force | 221 | 2.8% |
| Ransomhub | 218 | 2.8% |
| shinobi | 187 | 2.4% |
| All other groups (126) | 3,516 | 45.3% |
The top five groups had 3,013 claims, or 38.8% of the year’s total. The top ten produced 4,244 (54.7%). The remaining 126 groups generated 3,516 claims between them. Nearly half the volume comes from outside the top ten, suggesting a broad and fragmented threat landscape rather than a consolidated scenario.
Other sources tracked by CipherCue also point in the same direction
Ransomware leak-site claims are the highest-volume signals CipherQ tracks, but the platform also tracks regulatory breach filings, vulnerability catalogs and listed-company incident disclosures from independent public sources. These are not directly comparable, as each source has different reporting limits, coverage windows, and definitions. However, they do provide directional reference.
| Source | 2024 | 2025 | 2026 (partial) |
|---|---|---|---|
| Ransomware claims | 5,939 | 7,760 | 660 |
| HHS OCR Violation Filing (US Healthcare) | 164 | 517 | 101 |
| CISA KEV Entries (Exploited Vulnerabilities) | 186 | 245 | 75 |
| HIBP verified violations | 82 | 58 | – |
| SEC 8-K Item 1.05 Filing | 14 | 4 | 2 |
| ICO enforcement actions (UK) | 39 | 28 | 13 |
HHS OCR violation filings increased from 164 in 2024 to 517 in 2025, the largest year-over-year increase of any source tracked. CISA’s list of known exploited vulnerabilities added 245 entries in 2025, up from 186 in 2024. These are independent indications that report that incidents and the exploited attack surface continued to expand through 2025.
SEC 8-K Item 1.05 count drops from 14 filings in 2024 to 4 in 2025. This probably reflects the small sample and high materiality threshold for securities disclosures, not a decline in incidence. CipherCue also tracks 49 UK listed-company cyber incident disclosures across 35 entities, although that source has not yet extended to 2026.
What does the comparison actually show?
Public leak-site sources revealed that ransomware claim volume is expected to grow nearly three times faster than security spending worldwide in 2025. This is a directional finding, not evidence of universal underinvestment.
These are fundamentally different solutions. Postings by an actor making public threats from monitored sources are counted. Estimates global end-user spending in all other security categories. But such directional comparisons start a conversation on budget: if the observable threat is growing at a rate of 30% and the budget is growing at a rate of 10%, the difference keeps increasing every year.
This analysis does not assess confirmed violations, insurance losses, or whether an individual organization’s spending was effective. It measures what appears in the public record.
method note
Ransomware Claim Data: Obtained from public ransomware leak-site monitoring, ingested and normalized by CipherQ. The tracked dataset includes 23,994 records from mid-2020 to April 2026. The year total is based on the date each claim is filed. Group counts reflect individual source labels and may include aliases that have not been fully normalized. The number of claims reflects the threat actor’s postings, not confirmed breaches.
Additional sources tracked: HHS OCR Breach Portal (787 records tracked), CISA Known Exploited Vulnerabilities (1,559 records), HIBP Verified Breaches (696 records), ICO Enforcement Actions (175 records), SEC Edgar 8-K Item 1.05 filings (21 filings from 18 entities), UK Listed-Company Cyber Disclosures (49 disclosures from 35 entities). Each source has different reporting limits and coverage periods. These are cited for directional consistency, not for direct comparison.
Security Expenditure Data: Gartner press release, July 29, 2025: Gartner estimates worldwide end-user spending on information security will total $213 billion in 2025. Published totals: $193.408 billion (2024), $213.025 billion (2025), $239.759 billion (2026 forecast). The 10.1% growth rate used in this article is calculated from those published figures. Gartner divides the total into three segments: security services ($83.8 billion in 2025), security software ($105.9 billion), and network security ($23.3 billion).
Important warnings: This article compares a public expenditure forecast to a tracked hazard-claims dataset. It does not measure confirmed incidents, insurance losses or internal budget allocations by region. Claims of ransomware are not the same as breaches. Gartner’s spending figures are forward-looking estimates. The 2026 figures shown are partial-year snapshots.
Get this data for your watchlist
CipherQ tracks ransomware claims, regulatory violation filings, vulnerability disclosures and listed-company incident reports across thousands of entities. To apply this analysis to a specific portfolio, sector or company watchlist, request a demo.
<a href