CipherCue's tracking data reveals a widening gap between observed threat activity and industry investment. In 2025, public ransomware leak-site claims surged by 30.7%, reaching 7,760 incidents. Conversely, Gartner's forecast pegged worldwide information security spending growth for the same period at just 10.1% globally.

This directional mismatch suggests that the observable volume of ransomware operations is accelerating roughly three times faster than the aggregate budget allocated to security measures. While these metrics use different baselines—leak-site posts versus total security spend—the divergence is stark and compounding yearly across the visible threat surface.

Further analysis shows the threat remains fragmented; the top ten ransomware groups accounted for just over half of 2025's claims, indicating a broad ecosystem of actors. Separately, other signals like CISA KEV entries also showed substantial year-over-year increases, confirming broader attack surface growth against the $213.0 billion security budget.

Qilin led the pack in 2025 with over a thousand tracked claims, demonstrating concentrated pressure from established players. This comparison, while imperfect, frames a clear challenge: visible threat acceleration is rapidly outstripping the industry's current rate of financial response.