Inside the Qilin ransomware attack that disrupted Asahi

In an era of hyper-automation, few expect pen and paper to become a business continuity strategy. Yet in late 2025, a ransomware attack on Asahi Group Holdings, Ltd. ("Asahi") forced exactly that. Asahi is Japan’s largest brewing firm and a dominant force in the global beverage industry, headquartered in Tokyo. Prior to this incident, the company controlled approximately 40% of the Japanese beer market and generated nearly $20 billion in annual revenue.

The attack affected automated ordering and logistics systems, bringing the physical supply chain of one of Japan’s largest brewers to a standstill. Staff reverted to manual processes, while beverage shortages spread across retailers and restaurants both domestically and internationally. Beyond operational disruption, forensic investigations later revealed a large-scale data breach impacting nearly 1.52 million customers.

High-level impact summary

Operational impact: The strike paralyzed domestic operations, forcing the suspension of 30 domestic factories and halting automated order processing, shipping, and customer call centers.

Impact in supply chain: Massive disruption affected major retailers (7-Eleven, Lawson, FamilyMart) and thousands of izakaya pubs, which were forced to switch to rival brands like Kirin or Sapporo due to empty shelves.

Breach impact: Originally described as a "system failure," it was later confirmed as a ransomware attack involving a massive data breach affecting over 1.5 million customers and 275,000 employees and their families.

Impact of Asahi attack on shares. Source: Bloomberg

Attack timeline

September 29, 2025: Initial intrusion and containment

Asahi detected unauthorized access at one of its data centers. In response, IT teams isolated affected networks to contain the intrusion. This containment measure resulted in an immediate shutdown of domestic production and logistics systems.

September 30–October 2, 2025: Operational disruption

With automated ordering and shipping systems offline, Asahi’s domestic operations ground to a halt. Employees reverted to manual fallback processes—visiting customers in person and processing orders using pen, paper, and fax machines to sustain limited business continuity.

October 3, 2025: Public disclosure of ransomware activity

Asahi publicly confirmed that its servers had been targeted by a ransomware attack. The company also acknowledged evidence of unauthorized data transfer.

October 6, 2025: Supply shortages escalate

Major retailers warned of an imminent total shortage of Asahi Super Dry as existing inventory levels were depleted.

October 7, 2025: Attack claimed by Qilin

The Qilin ransomware group, also known as Agenda, claimed responsibility for the attack, stating that it had exfiltrated approximately 27GB of data.

Active since mid-2022, Qilin operates as a ransomware-as-a-service (RaaS) group, providing tooling to affiliates in exchange for a share of ransom payments. The group is known for targeting high-value sectors such as manufacturing and professional services and for employing double-extortion tactics; using a dedicated leak site to pressure victims by threatening public data exposure, even when a victim can technically restore their systems from backups.

November 27, 2025: Statement release by Asahi

Following nearly two months of forensic investigation, Asahi disclosed the full extent of the incident. Contrary to initial assessments, the company confirmed that personal information had been compromised, affecting approximately 1.5 million customers and hundreds of thousands of employees.

How the attack unfolded at Asahi

The attack began early in the morning—around 7:00am JST on September 29th—when system disruptions were detected across Asahi’s infrastructure.

1. Initial compromise—network equipment as the entry point: Threat actors gained unauthorized access through network equipment located at a Group site, allowing them to infiltrate the data center network.
2. Rapid deployment: Once inside the network, the attackers simultaneously deployed ransomware across multiple active servers, as well as connected PC devices.
3. Containment: By approximately 11:00am JST, Asahi disconnected affected systems and isolated the data center network to prevent further spread. However, by that time:
   1. Multiple production systems had been encrypted
   2. Employee-issued PCs were impacted
   3. Sensitive data exposure was suspected
4. Potential data exposure: During the forensic investigation, Asahi identified that:
   1. Data from company-issued employee PCs had been exposed
   2. Personal information stored on servers may have been accessed

What common vulnerabilities and exposures (CVEs) does Qilin exploit?

Qilin affiliates frequently target unpatched, network-facing applications.

Notable vulnerabilities

• Fortinet FortiOS/FortiProxy (CVE-2024-21762 and CVE-2024-55591): Recent Qilin tactics involve automating attacks against these critical vulnerabilities in SSL-VPN devices. CVE-2024-21762 allows for remote command execution, while CVE-2024-55591 is an authentication bypass used for privilege escalation.
• Veeam backup and replication (CVE-2023-27532): This flaw allows attackers to access encrypted credentials stored in the configuration database, which can lead to the compromise of backup systems.
• CitrixBleed (CVE-2023-3519): Security researchers have reported a shift in operations where affiliates utilize this vulnerability to deploy Qilin ransomware.
• Confluence (CVE-2023-22515): This exploit is used by affiliates to gain entry into enterprise environments.
• Fortinet FortiOS (CVE-2023-27997): Qilin operators target remote access services in Fortinet devices, specifically exploiting older or unpatched software versions.

Infrastructure and platform targeting

• VMware ESXi infrastructure: Since late 2023, Qilin has gained popularity by specifically targeting VMware ESXi servers using Linux-based variants to paralyze virtualized environments.
• Windows systems: The group continues to target Windows-based enterprise environments, using malware that can terminate processes for databases, ERP systems, and virtual machines.
• Legacy systems: A significant vulnerability for large organizations is the use of "patchwork" legacy systems inherited through acquisitions, which may lack modern security controls and are difficult to integrate or patch.

Access and evasion exploits

• Remote access misconfigurations: Affiliates exploit weak or exposed access points, including misconfigured RDP, SQL injection, and unpatched VPN gateways.
• Chrome extension infostealer: In 2024, Qilin expanded its capabilities to include an infostealer targeting Google Chrome, specifically designed to harvest credentials from browser data to facilitate further access.
• Vulnerable system drivers: The ransomware executable can exploit vulnerable system drivers to evade security defenses during its deployment phase.
• Security service termination: Recent ransomware variants like Qilin.B are designed to terminate services associated with antivirus and security tools to prevent detection.

Initial access vectors

• Spearphishing: Malicious links or attachments in targeted emails.
• MFA bombing and SIM swapping: Tactics used to bypass multi-factor authentication (MFA).
• Remote monitoring and management (RMM) exploitation: Misusing legitimate RMM software to maintain persistence or move laterally.

Key takeaways for CISOs

The Asahi incident involving the Qilin ransomware group highlights several critical strategic and technical takeaways for CISOs, particularly those managing complex global supply chains and legacy infrastructure.

1. Prioritize supply chain and operational resilience

• Prepare for immutable backups: When automated systems failed, Asahi reverted to manual processes using pen, paper, and fax machines. Organizations should establish offline, immutable backups and test recovery environments that are isolated from the main network. Recovery plans should align with defined recovery time objectives and recovery point objectives to ensure quick restoration of critical systems without the risk of reinfection.
• Account for competitive impact: During the disruption, competitors such as Kirin and Sapporo replaced Asahi’s dispensing units and glassware in bars. This made it difficult for Asahi to reclaim its 40% market share even after operations stabilized, illustrating how cybersecurity incidents can directly affect long-term market position.

2. Manage technical debt and mergers and acquisition (M&A) risks

Asahi’s vulnerability was largely attributed to lack of patchwork of legacy systems inherited through years of global acquisitions.

• Secure post-acquisition environments: Asahi’s global acquisitions left a patchwork of legacy systems. At the time of the attack, these systems were still being consolidated. CISOs should treat M&A integration periods as high-risk and apply compensating controls until old systems are fully decommissioned.
• Prioritize vulnerability and patch management: Qilin frequently exploits known vulnerabilities in internet-facing systems, such as Veeam Backup & Replication and Fortinet SSL-VPNs. To reduce risk, public-facing applications should be continuously monitored and patched based on exploitability.

3. Assume and prepare for double extortion

• Avoid premature breach conclusions: Asahi initially stated there was no evidence of data compromise. However, a nearly two-month forensic investigation later confirmed that data related to 1.52 million customers and 275,000 employees had likely been exposed. CISOs are responsible for ensuring that only disciplined, fact-based public communications are released.
• Move beyond recoverable backups: Qilin variants delete Windows VSS backups, limiting local recovery options. Organizations must maintain immutable, off-site backups to ensure recovery without reliance on ransom payment.

4. Harden infrastructure against modern ransomware tactics

Qilin’s technical evolution highlights gaps in traditional defensive models.

• Secure virtualized environments: Qilin has specifically targeted VMware ESXi infrastructure, enabling attackers to disrupt entire data centers through a single attack path. CISOs are responsible for treating hypervisor security as a Tier-1 risk by enforcing strict access controls, segmentation, timely patching, and resilient backup strategies.
• Limit blast radius through segmentation: Micro-segmentation of networks help prevent lateral movement and limit the blast radius of ransomware.
• Strengthen authentication controls: The ransomware group also commonly leverages credential theft and MFA fatigue attacks. Stronger, phishing-resistant authentication methods are increasingly necessary.

5. Strengthen strategic and legal preparedness

• Prepare for legal and regulatory leverage: Qilin's “Call Lawyer” feature helps threat actors identify applicable data protection regulations and potential compliance penalties, using regulatory exposure as a negotiation tactic. CISOs must align incident response with legal and compliance teams, maintain breach notification readiness, conduct regulatory impact assessments, and ensure appropriate cyber insurance coverage to mitigate financial and legal fallout.
• Expand incident response exercises: Tabletop exercises should include legal, communications, and operations teams, not just IT. Scenarios should explicitly address ransom negotiations and recovery decisions to ensure executive alignment before an incident occurs.

How SIEM can fortify your security

The Asahi incident highlights how modern ransomware attacks are not just about encrypted files but also involve data exfiltration and double extortion. A security information and event management (SIEM) solution plays a critical role in defending against this type of threat by providing centralized visibility, real-time alerting, and actionable insights across IT and OT environments.

1. Detect suspicious activity early: A SIEM solution can monitor abnormal logins, failed MFA attempts, and unusual administrative activity—all common vectors exploited by Qilin affiliates.

   Alerts on unexpected access to sensitive databases or bulk file downloads can signal potential data exfiltration before ransomware is deployed.

2. Correlate events across systems: Qilin targets a mix of legacy, virtualized, and cloud systems. A SIEM solution aggregates logs from multiple sources—including Windows, Linux, VMware ESXi, VPNs, and backup systems—allowing CISOs to identify suspicious activities that may appear innocuous in isolation. Additionally, integrating vulnerability scanners with SIEM enables automatic alerting on unpatched critical systems and helps track remediation efforts across the enterprise.
3. Support incident response and forensics: In a complex attack like Asahi’s, where data exfiltration and ransomware ran in parallel, a SIEM solution provides a centralized audit trail. This accelerates investigations and helps determine which systems and data were compromised.

   Additionally, integrating SIEM with backup and endpoint monitoring tools ensures that recovery actions are informed and safe, reducing the risk of paying ransom unnecessarily.

4. Strengthen compliance readiness: By continuously monitoring access to sensitive data, a SIEM solution can generate reports for compliance and legal teams, helping them quickly respond to potential breaches of customer or employee information.

Related solutions