Executive Summary

On September 29, 2025, Asahi Group Holdings experienced a significant ransomware attack that severely disrupted its domestic operations in Japan. The attack paralyzed digital order placement, shipment, and customer service systems, forcing the company to revert to manual processes such as phone, fax, and hand-written orders. This disruption led to a nationwide shortage of Asahi products, including beer and soft drinks, with major retailers such as 7-Eleven, FamilyMart, and Lawson warning of out-of-stock items. While there is evidence of a potential unauthorized data transfer, there is no confirmed compromise of customer data as of the latest official statements. The company’s overseas operations, including its global brands, remain unaffected. Asahi has engaged external cybersecurity experts and law enforcement, and is prioritizing the restoration of supply and system recovery. The incident is part of a broader trend of ransomware attacks targeting Japanese companies in 2025, with significant operational and financial impacts. All information in this summary is based on official statements from Asahi Group Holdings and corroborated by independent news sources (Asahi Group Holdings, Oct. 3, 2025, BBC, early October 2025, The Independent, Oct. 7, 2025).

Technical Information

The cyberattack on Asahi Group Holdings was a ransomware incident, first detected and disclosed on September 29, 2025. The attack targeted the company’s IT infrastructure supporting order placement, shipment, and customer service operations in Japan. The ransomware encrypted critical systems, resulting in a complete halt of digital logistics and customer-facing processes. As a result, Asahi was forced to implement manual order processing, including the use of phone, fax, and hand-written orders, to maintain product supply.

The attack is attributed with medium-high confidence to the Qilin ransomware group, based on their public claim, the posting of sample data and a ransom note on the dark web, and the attack’s alignment with Qilin’s known tactics, techniques, and procedures (TTPs). Qilin is recognized for double extortion tactics, which involve both encrypting data and exfiltrating sensitive information to pressure victims into paying ransoms. In this case, Qilin claimed to have stolen 27GB of data, including 9,300 files with financial and employee information. Asahi confirmed traces suggesting a potential unauthorized data transfer but has not disclosed the full scope or nature of the compromised data, citing an ongoing investigation (Asahi Group Holdings, Oct. 3, 2025, The Independent, Oct. 7, 2025, Qilin claim, Nippon.com, Oct. 8, 2025).

The specific initial access vector used by the attackers has not been disclosed by Asahi or law enforcement. However, ransomware attacks in the Japanese manufacturing and beverage sectors during 2025 commonly exploit phishing emails (MITRE ATT&CK T1566), vulnerabilities in public-facing applications (T1190), or compromised valid accounts (T1078). The attack on Asahi is consistent with these sector trends, but there is no direct evidence confirming the exact method of initial compromise in this case.

The attack’s impact was severe, with the paralysis of logistics, order management, and customer service systems. Asahi’s digital operations were suspended, and the company was unable to receive external emails. The disruption led to a nationwide shortage of Asahi products, with major retailers and restaurant chains reporting out-of-stock items and considering alternative suppliers. The company postponed the launch of 12 new products, including beverages and food items, due to the ongoing system outage. Production at some breweries was gradually restarted using manual processes, but full digital operations had not been restored as of early October 2025.

The attack methods map to several MITRE ATT&CK techniques, including Data Encrypted for Impact (T1486), Service Stop (T1489), Exfiltration Over C2 Channel (T1041), and Inhibit System Recovery (T1490). The ransomware likely disabled security tools and inhibited system recovery, although these steps have not been explicitly confirmed by Asahi. The company’s response included the immediate isolation of affected systems, engagement of external cybersecurity experts, and notification of law enforcement authorities.

The incident is part of a broader trend of ransomware attacks targeting Japanese companies in 2025. The National Police Agency of Japan reported 116 ransomware incidents in the first half of 2025, matching previous highs. Cybersecurity experts have noted that Japanese organizations are increasingly targeted due to perceived weaker defenses and a tendency to pay ransoms. Qilin and similar groups have focused on manufacturing, logistics, and supply chain sectors, exploiting the convergence of operational technology (OT) and IT systems.

The financial impact of the attack is under review, but analyst estimates suggest that if the outage extends further, Asahi’s domestic operating profit could shrink by as much as 83%. The company’s share price experienced a significant drop following the disclosure of the attack, reflecting market concerns about operational and financial disruption.

In summary, the Asahi cyberattack demonstrates the critical risks posed by ransomware to supply chain-dependent industries. The attack’s technical characteristics, sector targeting, and operational impact are consistent with the tactics of the Qilin ransomware group and broader trends in the Japanese threat landscape.

Affected Versions & Timeline

The ransomware attack affected Asahi Group Holdings’ domestic operations in Japan, including order placement, shipment, and customer service systems. The company’s overseas operations, including its global brands such as Fuller’s, Peroni, Pilsner Urquell, and Grolsch, were not impacted.

The timeline of the incident is as follows: The attack was first detected and disclosed on September 29, 2025. Immediate containment measures were implemented, including the isolation of affected systems and the establishment of an Emergency Response Headquarters. As of October 3, 2025, digital order and shipment processes remained suspended, and the company was unable to receive external emails. Manual order processing and partial shipment were initiated to maintain product supply. Production at some breweries was restarted using manual processes by October 7, 2025. The company began preparing to gradually resume call center and customer service operations during the week of October 6, 2025. There is no clear timeline for full system recovery as of the latest official statements (Asahi Group Holdings, Oct. 3, 2025, The Independent, Oct. 7, 2025).

The scope of the disruption is currently limited to Japan, which accounts for approximately half of Asahi’s global sales. The company’s overseas operations and international brands remain unaffected.

Threat Activity

The threat activity in this incident is attributed to the Qilin ransomware group, which publicly claimed responsibility for the attack and posted sample data and a ransom note on the dark web. Qilin is known for targeting manufacturing, healthcare, and logistics sectors, with a focus on organizations with critical supply chains and lower cyber resilience. The group employs double extortion tactics, combining data encryption with the exfiltration of sensitive information to maximize pressure on victims.

In the Asahi incident, Qilin claimed to have stolen 27GB of data, including 9,300 files with financial and employee information. Asahi confirmed traces suggesting a potential unauthorized data transfer but has not disclosed the full scope of the compromised data. The attack paralyzed digital logistics, order management, and customer service systems, forcing the company to revert to manual processes to maintain supply.

The attack fits a broader pattern of ransomware targeting Japanese manufacturing and beverage companies in 2025. The National Police Agency of Japan reported 116 ransomware incidents in the first half of 2025, with Qilin and similar groups exploiting the convergence of OT and IT systems in supply chain-dependent industries. Cybersecurity experts have noted that Japanese companies are increasingly targeted due to perceived weaker defenses and a tendency to pay ransoms (The Independent, Oct. 7, 2025, Dark Reading, Oct. 2025).

The attack methods observed in this incident map to several MITRE ATT&CK techniques, including Data Encrypted for Impact (T1486), Service Stop (T1489), Exfiltration Over C2 Channel (T1041), and Inhibit System Recovery (T1490). The specific initial access vector is not confirmed, but sector trends suggest phishing, exploitation of public-facing applications, or compromised valid accounts as likely entry points.

Mitigation & Workarounds

Critical: Organizations in the manufacturing, beverage, and supply chain sectors should immediately review and strengthen their ransomware defenses. This includes implementing robust email security controls to mitigate phishing risks, patching public-facing applications to address known vulnerabilities, and enforcing strong authentication and access controls to prevent unauthorized account use. Network segmentation should be employed to limit lateral movement and contain potential breaches.

High: Regularly back up critical data and systems, ensuring that backups are stored offline and tested for integrity and recoverability. Develop and test incident response and business continuity plans, including manual fallback procedures for order processing, shipment, and customer service operations. Engage with external cybersecurity experts to conduct threat assessments and tabletop exercises simulating ransomware scenarios.

Medium: Monitor for indicators of compromise associated with the Qilin ransomware group and similar threat actors. This includes monitoring for suspicious network activity, unauthorized data transfers, and the presence of known ransomware tools and techniques. Collaborate with sector peers and law enforcement to share threat intelligence and best practices.

Low: Provide regular security awareness training to employees, emphasizing the risks of phishing and social engineering attacks. Encourage a culture of security vigilance and prompt reporting of suspicious activity.

Organizations should also review their supply chain dependencies and ensure that third-party risk management processes are in place to assess and mitigate cyber risks posed by vendors and partners.

References

Asahi Group Holdings, Oct. 3, 2025BBC, early October 2025The Independent, Oct. 7, 2025Qilin claim, Nippon.com, Oct. 8, 2025Dark Reading, Oct. 2025

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor cyber risks across their supply chains and vendor ecosystems. Our platform enables continuous risk assessment, supports incident response planning, and facilitates collaboration with external partners to strengthen overall cyber resilience. For questions or further information, please contact us at ops@rescana.com.