Japan’s Asahi beer shortage now claimed by Qilin ransomware gang

The Qilin ransomware group is claiming responsibility for last week’s cyberattack on Asahi Holdings, Japan’s largest brewer, which disrupted operations and causing a shortage of the country’s most popular beers, soft drinks, and cold teas.

The Russian-linked cartel on Tuesday posted a swath of alleged file samples allegedly stolen from the Japanese beverage producer.

Although just 29 samples appear on Qilin’s dark leak site, a total of 9,323 files are said to have been exfiltrated as part of the ransomware group’s purported 27GB cache grab.

The beverage behemoth has over 70 global manufacturing plants, citing massive interruptions at all 30 plants located in Japan.

The September 29th Asahi cyberattack has led to the “temporary suspension of all orders and shipments of products from Asahi Group companies, with no prospect of resumption at this time,” Family Mart, one of the company’s leading retailers, said in a statement last week.

Touting over 90 drink brands, and even a food division, other major retailers, Lawson and 7-Eleven, have also warned customers to expect shortages of Asahi products, including Asahi Super Dry, Japan’s most popular beer.

Additional products impacted by the cyberattack include Japanese brands Nikka Whiskey and Asahi’s Fumimaru bottled teas, part of its vast soft drinks line.

Asahi said its operations outside Japan have not been affected by the cyberattack, but it had to suspend orders and shipments, as well as call center operations, within the country due to the “system failure.”

According to The Japan Times, Asahi has resumed beer production at six breweries in Japan. Some of the company's IT systems are still down, affecting day-to-day business operations, such as processing orders. The company’s spokesperson adds that it remains uncertain when all systems will be fully restored.

The financial impact of the attack on the company is also still unknown. When the cyberattack was announced, shares of Asahi plunged more than 7%.

The company was founded in 1889 and currently has over 28,000 employees on the payroll.
The Tokyo-based suds producer is the parent company of Italy’s Peroni, the Netherlands’ Grolsch breweries, the Czech Republic’s Pilsner Urquell, and Australia’s Foster’s beer and 19 Crimes wine.

Trove of sensitive files leaked on victim blog

Last week on its website, Asahi announced to customers that there had been “no confirmed leakage of personal information or customer data to external parties,” but after the Qilin post on Tuesday, that statement is surely outdated.

Qilin boasted of the dozens of leaked documents, which include “financial documents, budgets and contracts, as well as personal data of employees, plans and development forecasts of the company.”

“Part of this information is already available in the public domain,” the group stated in the victim blog post.

Viewed by Cybernews, the 29 provided samples appear to contain a slew of sensitive files, some in English, others in Japanese.

The trove shows multiple profit and loss statements dated January through August 2025, internal company audit reports stamped “Strictly Confidential,” an invoice for a $900K management fee to be paid to Asahi’s San Francisco-based “Beverage and Innovative fund” with bank account numbers, and several employees’ picture ID cards.

Rebecca Moody, Head of Data Research at Comparitech, says that "As the most prolific ransomware gang of 2025, the odds that the attack on Asahi had been carried out by Qilin were relatively high.

Moody also points out that “while the 27GB of data allegedly stolen by Qilin is relatively low compared to some of Qilin's other claims (i.e., 9.7TB from Yooshin Engineering Corporation in South Korea), that's not to say that the data involved isn't highly sensitive.”

Noting that this latest attack “is the 19th confirmed attack on a food and beverage manufacturer this year so far,” Moody says, "Asahi now needs to respond to Qilin's allegations and confirm what data could have been impacted.”

This will allow affected victims to be “on high alert for any potential phishing campaigns or suspicious account activity,” Moody adds.

Qilin ransomware gang dominates 2025

Notorious for targeting hospitals and the manufacturing sector, the Qilin gang – once known as Agenda – first appeared on the ransomware circuit in 2022. However, its dark leak site claims it began operating in 2021.

With more than 88 victims listed since just the beginning of September, Qilin has moved into the number one position as the most active ransomware gang in the past 12 months, after today, targeting roughly 585 victims, according to Cybernews' Ransomlooker monitoring tool.

Agressively outperforming ransomware rivals Cl0p Play, INC Ransom, and Akira, more than 500 attacks were claimed by Qilin after January 1st, 2025.

The group, which is said to actively recruit affiliates on Russian language hacker forums, also avoids targeting Commonwealth of Independent States (CIS) countries, insinuating a Kremlin-aligned agenda.

Known for using a ransomware-as-a-service (RaaS) business model, the cybercriminal outfit often uses double extortion tactics on its victims, demanding a ransom for decryption and then a second payout to guarantee it will not leak the stolen files on the dark web after the fact.

Last making waves with an October 2nd hit on Israel's 4th largest hospital, Shamir Medical Center on Yom Kippur, the group recently claimed attacks on Nissan Japan's design arm, Creative Box, and US pharmaceutical research conglomerate Inotiv.

Past Qilin victims include the California corporate PR firm Singer Associates, global energy and manufacturing giant SK Group, US newspaper conglomerate Lee Enterprises, the Houston Symphony, Detroit’s PBS TV station, top North American auto parts suppliers Yanfeng in China, and the prestigious Utsunomiya cancer treatment center in Japan.