Asahi Confirms Qilin Ransomware Breach Exposed Data of Nearly 2 Million

Japanese Beverage Giant Asahi Confirms Qilin Ransomware Attack Exposed Data of 1.9 Million Individuals

HIGH
November 29, 2025
6m read
RansomwareData BreachCyberattack

Impact Scope

People Affected

1.914 million

Industries Affected

ManufacturingRetail

Geographic Impact

Japan (national)

Related Entities

Threat Actors

Qilin

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1021.002Lateral Movement

SMB/Windows Admin Shares

T1041Exfiltration

Exfiltration Over C2 Channel

T1486Impact

Data Encrypted for Impact

T1562.001Defense Evasion

Disable or Modify Tools

Full Report

Executive Summary

On November 28, 2025, Japanese beverage conglomerate Asahi Group Holdings publicly disclosed the full impact of a ransomware attack that occurred on September 29, 2025. The attack, attributed to the Qilin ransomware group, resulted in the confirmed exfiltration of personal data belonging to approximately 1.914 million people. The compromised data includes sensitive Personally Identifiable Information (PII) of customers, employees, their families, and external business contacts. The incident caused severe disruption to Asahi's domestic operations, forcing a suspension of production and shipping. The company has stated that no credit card information was compromised and it did not pay the ransom.

Threat Overview

The attack was initiated on September 29, 2025, when the Qilin ransomware gang gained unauthorized access to Asahi's network. The threat actors leveraged a compromised piece of network equipment at a domestic site as their initial entry point. From there, they performed lateral movement throughout the corporate network, eventually reaching core data center servers. The attackers then deployed ransomware payloads simultaneously across multiple servers and employee PCs, encrypting files and rendering critical systems inoperable. In early October, the Qilin group claimed responsibility, alleging the theft of 27 GB of data and listing Asahi on their data leak site. The two-month forensic investigation confirmed the scope of the data exfiltration, which impacted a wide range of individuals associated with the company.

Technical Analysis

The attack chain demonstrates a common but effective methodology used by sophisticated ransomware groups.

  1. Initial Access: The attackers exploited a vulnerability in network equipment. This likely corresponds to T1190 - Exploit Public-Facing Application.
  2. Lateral Movement: After establishing a foothold, the attackers moved across the network to access high-value targets. This could have involved techniques like T1021.002 - SMB/Windows Admin Shares to pivot from the initial entry point to critical servers.
  3. Data Exfiltration: Before encryption, the attackers exfiltrated 27 GB of data. This is a common double-extortion tactic, using techniques like T1567.001 - Exfiltration to Cloud Storage or T1041 - Exfiltration Over C2 Channel.
  4. Impact: The final stage involved deploying ransomware to encrypt files across the network, consistent with T1486 - Data Encrypted for Impact. This was done to maximize operational disruption and pressure the victim into paying the ransom.

Impact Assessment

The cyberattack had a severe, multi-faceted impact on Asahi Group Holdings:

  • Operational Impact: The encryption of core systems forced a halt to production, order processing, and shipping. This led to significant product shortages across Japan and direct revenue loss.
  • Financial Impact: Beyond lost revenue, Asahi incurred substantial costs related to incident response, forensic investigation, system restoration, and legal counsel. The company also had to delay its annual financial reporting.
  • Reputational Impact: As a major consumer brand, the breach of 1.9 million individuals' data has caused significant reputational damage and eroded customer trust.
  • Regulatory Impact: The breach falls under Japan's Act on the Protection of Personal Information (APPI), which may lead to regulatory fines and penalties.
  • Affected Parties: The breach impacted 1,525,000 customers, 114,000 external contacts, 107,000 current/former employees, and 168,000 employee family members.

Cyber Observables for Detection

Security teams can hunt for Qilin-related activity by looking for the following observables:

Type Value Description
file_name README-TO-DECRYPT.txt Common ransom note name used by Qilin ransomware.
file_path C:\Users\<user>\AppData\Local\Temp\ Qilin often uses temporary directories to stage payloads.
process_name bitsadmin.exe May be used for downloading subsequent payloads or tools.
command_line_pattern vssadmin.exe delete shadows /all /quiet Command to delete volume shadow copies to prevent restoration.
network_traffic_pattern High-volume outbound traffic to unknown cloud storage providers (e.g., Mega.io, pCloud). Indicator of potential data exfiltration prior to encryption.

Detection & Response

  • Network Monitoring: Implement Network Traffic Analysis to detect anomalous data flows, especially large outbound transfers to unusual destinations, which could indicate data exfiltration.
  • Endpoint Detection: Use an EDR solution to monitor for suspicious process chains, such as powershell.exe or cmd.exe spawning from office applications or network services. Look for commands related to disabling security tools (T1562 - Impair Defenses) or deleting backups.
  • Log Analysis: Correlate logs from VPNs, firewalls, and domain controllers. Look for authentication anomalies, such as logins from unusual geolocations or multiple failed logins followed by a success, which could indicate brute-forcing or credential stuffing against perimeter devices.
  • File Integrity Monitoring: Monitor critical system files and directories for unauthorized changes. Implement File Analysis with canary files (honeypot files) in key locations; an alert on their modification can provide early warning of ransomware activity.

Mitigation

  • Patch Management: Prioritize patching of internet-facing network equipment, VPNs, and firewalls. Implement a robust vulnerability management program to address critical vulnerabilities promptly. This is a key Software Update (D3-SU) control.
  • Network Segmentation: Implement Network Isolation (D3-NI) to limit lateral movement. Isolate critical manufacturing and operational technology (OT) networks from the corporate IT network. Ensure data center servers cannot be accessed directly from less secure network segments.
  • Access Control: Enforce the principle of least privilege. Implement Multi-factor Authentication (D3-MFA) on all remote access points, privileged accounts, and critical system logins.
  • Backup and Recovery: Maintain multiple, isolated offline backups of critical data and systems. Regularly test restoration procedures to ensure they are effective in a real-world incident.

Timeline of Events

1
September 29, 2025
Qilin ransomware group gains initial access and deploys ransomware, causing system shutdowns.
2
October 1, 2025
Qilin claims responsibility for the attack and lists Asahi on its data leak site.
3
November 28, 2025
Asahi Group Holdings publicly discloses the full scope of the breach, confirming 1.914 million individuals were affected.
4
November 29, 2025
This article was published

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

Regularly update and patch all software, especially internet-facing network equipment, to prevent exploitation of known vulnerabilities.

Mapped D3FEND Techniques:

D3-SU

Network Segmentation

M1030enterprise

Segment networks to contain breaches and prevent attackers from moving laterally from IT to critical OT or data center environments.

Mapped D3FEND Techniques:

D3-NI

Multi-factor Authentication

M1032enterprise

Enforce MFA on all remote access points, administrative accounts, and critical applications to protect against credential compromise.

Mapped D3FEND Techniques:

D3-MFA

Audit

M1047enterprise

Implement comprehensive logging and monitoring to detect suspicious activities such as anomalous logins and large-scale data access.

D3FEND Defensive Countermeasures

Network Traffic Analysis

D3-NTAMaps to MITREM1031
D3FEND

Deploy network traffic analysis tools to establish a baseline of normal east-west and north-south traffic patterns. Specifically monitor for large, unexpected data transfers from internal servers to external IP addresses, a key indicator of data exfiltration preceding ransomware deployment. Given Qilin's tactics, pay close attention to traffic from database servers and file shares directed towards known cloud storage providers or anonymous file-sharing services. Configure alerts for traffic volume anomalies, connections to non-standard ports, and traffic to newly registered domains. This proactive monitoring can provide the critical window needed to detect and isolate a compromised system before the final encryption stage is executed.

Software Update

D3-SUMaps to MITREM1051
D3FEND

Implement a strict and timely patch management cycle for all internet-facing systems, with a priority on network appliances like VPN concentrators, firewalls, and load balancers, as these were the reported entry point for the Asahi breach. Use automated asset discovery and vulnerability scanning tools to maintain a real-time inventory of devices and their patch status. Establish a policy to apply 'critical' and 'zero-day' patches within 24-48 hours. For devices that cannot be patched immediately, apply vendor-recommended workarounds or use virtual patching via an Intrusion Prevention System (IPS) to block known exploits. This directly hardens the initial access vector used by the attackers.

Sources & References

Asahi Group Reveals Findings of Cyberattack
Datamation (datamation.com) November 28, 2025
Asahi Data Breach Impacts 2 Million Individuals
SecurityWeek (securityweek.com) November 27, 2025
Asahi admits ransomware gang may have spilled almost 2M people's data
The Register (theregister.com) November 27, 2025
Asahi Confirms 1.5 Million Customers Affected in Major Cyber-Attack
Infosecurity Magazine (infosecurity-magazine.com) November 27, 2025
Japanese beer giant Asahi says ransomware attack may have exposed data of 1.5 million people
The Record (therecord.media) November 28, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

ransomwareqilindata breachjapanmanufacturingpii

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next