Executive Summary

On September 29, 2025, Asahi Group Holdings, a leading Japanese beverage manufacturer, detected a significant ransomware attack that disrupted its data center operations. The incident, attributed to the Qilin ransomware group, resulted in the compromise of personal information belonging to over 1.5 million individuals, including customers, employees, and external contacts. The attack caused widespread operational disruption, including the suspension of automated order and shipment processing, leading to product shortages across Japan. Asahi’s internal investigation confirmed that attackers gained access by stealing passwords, encrypted critical data, and exfiltrated sensitive information. The company has since reported the breach to Japanese authorities and is implementing enhanced security measures. No evidence has been found of public data release as of the latest updates. The impact was limited to Japanese operations, with no effect on Asahi’s European brands. Attribution to the Qilin group is supported by technical evidence and public claims. All information in this summary is directly sourced from official Asahi statements, NHK World, and BBC News as of November 28, 2025 (https://www.asahigroup-holdings.com/en/newsroom/detail/20251003-0204.html, https://www3.nhk.or.jp/nhkworld/en/news/20251127_B3/, https://www.bbc.com/news/articles/ce86n44178no).

Technical Information

The attack on Asahi Group Holdings was executed using the Qilin ransomware (also known as Agenda), a modular malware family written in Golang and Rust, capable of targeting both Windows and ESXi environments. The initial access vector was confirmed as credential theft, with attackers stealing passwords to access Asahi’s data center. This method is consistent with Qilin’s known tactics, which include phishing, brute-force attacks, and exploitation of exposed remote access services (NHK World, https://www3.nhk.or.jp/nhkworld/en/news/20251127_B3/).

Once inside the network, the attackers conducted lateral movement and privilege escalation using tools such as embedded Mimikatz modules for credential dumping and access token manipulation. These techniques allowed the attackers to move laterally across the network and escalate privileges, facilitating the deployment of ransomware payloads to a wide range of systems. The Qilin ransomware is known to use PsExec for remote code execution, custom PowerShell scripts for deployment, and advanced obfuscation and self-deletion routines to evade detection (MITRE ATT&CK S1242, https://attack.mitre.org/software/S1242/).

Persistence was established through registry run keys and scheduled tasks, while defense evasion was achieved by terminating antivirus processes and rebooting systems in safe mode. The ransomware encrypted data using strong cryptographic algorithms (AES-256 or ChaCha20 for file encryption, RSA-4096/2048 for key protection) and inhibited system recovery by deleting shadow copies and clearing event logs. These actions resulted in the encryption of critical data, operational disruption, and the exfiltration of sensitive information.

The Qilin group operates as a Ransomware-as-a-Service (RaaS), with affiliates targeting multiple sectors globally, including manufacturing, healthcare, and financial services. The group’s tactics, techniques, and procedures (TTPs) align closely with those observed in the Asahi incident, including the use of credential theft for initial access, lateral movement via credential dumping, and the deployment of ransomware for double extortion (MITRE ATT&CK S1242, HHS.gov Qilin Threat Profile, https://www.hhs.gov/sites/default/files/qilin-threat-profile-tlpclear.pdf).

The technical evidence supporting attribution to Qilin includes the group’s public claim of responsibility, the use of known Qilin malware and TTPs, and the alignment of the attack’s impact with previous Qilin operations. The attack leveraged a broad set of MITRE ATT&CK techniques, including T1566.001/.002 (Phishing), T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts), T1003.001 (OS Credential Dumping), T1134 (Access Token Manipulation), T1021.002 (Remote Services), T1547.001 (Registry Run Keys), T1053.005 (Scheduled Task), T1562.001/.009 (Impair Defenses), T1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery), and T1070.001/.004 (Indicator Removal).

The attack’s operational impact was severe, crippling most of Asahi’s factories in Japan and forcing a switch to manual order processing. The company’s market share and financial performance were affected, with delayed financial results and anticipated losses for the fiscal year. Restoration efforts began shortly after the attack, with full system recovery targeted for February 2026 (NHK World, https://www3.nhk.or.jp/nhkworld/en/news/20251127_B3/).

Affected Versions & Timeline

The breach affected systems managed by Asahi Group Holdings in Japan, with no impact on European brands such as Peroni and Fuller’s Brewery (BBC News, https://www.bbc.com/news/articles/ce86n44178no). The timeline of the incident is as follows: On September 29, 2025, Asahi detected a disruption at its data center and initiated containment and investigation. By October 3, 2025, the company publicly disclosed the ransomware attack and began manual operations to maintain product supply (https://www.asahigroup-holdings.com/en/newsroom/detail/20251003-0204.html). In late November 2025, Asahi confirmed that over 1.5 million customer records and up to 1.9 million pieces of personal information were compromised, including data for 107,000 employees, 168,000 family members, and 114,000 external contacts (NHK World, https://www3.nhk.or.jp/nhkworld/en/news/20251127_B3/).

The only confirmed cases of data exposure involved 18 items of employee-related personal information stored on company-issued laptops. No credit card details were included in the leaked data. The company reported its findings to the Japanese government’s commission on personal information protection and has not confirmed any evidence of public data release as of the latest updates (BBC News, https://www.bbc.com/news/articles/ce86n44178no).

Threat Activity

The Qilin ransomware group is a well-documented threat actor operating as a Ransomware-as-a-Service (RaaS) since at least 2022. The group has targeted multiple sectors globally, with a notable increase in attacks in Asia and Europe during 2024–2025. Qilin is known for exploiting public-facing applications, conducting phishing campaigns, and leveraging supply chain attacks to gain initial access. The group’s affiliates use a variety of tools and techniques, including embedded Mimikatz for credential dumping, PsExec for lateral movement, and custom PowerShell scripts for deployment (MITRE ATT&CK S1242, https://attack.mitre.org/software/S1242/).

In the Asahi incident, the attackers gained access by stealing passwords, repeatedly broke into servers, and deployed ransomware that encrypted data and disrupted operations. The group’s tactics included establishing persistence, evading defenses, and inhibiting system recovery. The operational impact included the suspension of automated order and shipment processing, leading to product shortages and financial losses. The attack was limited to Japanese operations, with no evidence of impact on European brands or public data release as of the latest updates (NHK World, https://www3.nhk.or.jp/nhkworld/en/news/20251127_B3/).

The Qilin group’s history of targeting large enterprises in critical sectors, including manufacturing and food/beverage, aligns with the Asahi attack. Previous incidents include attacks on healthcare, financial services, and managed service providers. The group’s use of double extortion tactics, where data is both encrypted and exfiltrated for ransom demands, is consistent with the observed impact on Asahi (HHS.gov Qilin Threat Profile, https://www.hhs.gov/sites/default/files/qilin-threat-profile-tlpclear.pdf).

Mitigation & Workarounds

The following mitigation strategies are prioritized by severity:

Critical: Immediate review and reset of all privileged and administrative credentials, especially those used for remote access to data centers and critical infrastructure. Implement multi-factor authentication (MFA) for all remote and administrative access points to prevent credential-based attacks. Conduct a comprehensive audit of all remote access services, including RDP, VPN, and Citrix, to ensure they are secured, patched, and monitored for anomalous activity (MITRE ATT&CK T1078, T1190, https://attack.mitre.org/software/S1242/).

High: Deploy advanced endpoint detection and response (EDR) solutions capable of detecting credential dumping, lateral movement, and ransomware behaviors. Regularly update and patch all systems, including operating systems, applications, and security tools, to address known vulnerabilities exploited by ransomware groups. Implement network segmentation to limit lateral movement and restrict access to sensitive data and critical systems.

Medium: Enhance user awareness training to recognize and report phishing attempts, which are a common initial access vector for ransomware attacks. Regularly back up critical data and ensure backups are stored offline or in immutable storage to prevent ransomware encryption and facilitate rapid recovery.

Low: Review and update incident response plans to include ransomware-specific scenarios, ensuring that roles, responsibilities, and communication protocols are clearly defined. Conduct regular tabletop exercises to test response capabilities and identify areas for improvement.

Asahi has already implemented measures to fix vulnerabilities and strengthen information security across the group. Organizations are advised to follow similar best practices and remain vigilant for emerging ransomware threats (NHK World, https://www3.nhk.or.jp/nhkworld/en/news/20251127_B3/).

References

Official Asahi Group Holdings statement (October 3, 2025): https://www.asahigroup-holdings.com/en/newsroom/detail/20251003-0204.html

BBC News (November 28, 2025): https://www.bbc.com/news/articles/ce86n44178no

NHK World (November 27, 2025): https://www3.nhk.or.jp/nhkworld/en/news/20251127_B3/

MITRE ATT&CK Qilin S1242: https://attack.mitre.org/software/S1242/

HHS.gov Qilin Threat Profile: https://www.hhs.gov/sites/default/files/qilin-threat-profile-tlpclear.pdf

Rescana Qilin Financial Sector Attack: https://www.rescana.com/post/qilin-ransomware-exploits-south-korean-msp-breach-in-korean-leaks-attack-impacting-28-financial-org

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, assess, and monitor cyber risks across their supply chain and vendor ecosystem. Our platform enables continuous risk assessment, automated evidence collection, and actionable reporting to support incident response and compliance efforts. For questions or further information, please contact us at ops@rescana.com.