Prayukth KV
October 22, 2025
Decoding the Asahi brewery ransomware attack
Asahi Group Holdings, Ltd. one of Japan’s top beer manufacturers had announced separately on September 29 and October 3 that its systems were experiencing disruption due to a ransomware attack. Subsequently, the company halted production and conducted an investigation to determine the root cause of the incident and to identify the systems impacted. The company has now resumed production and starting October 15th, Asahi Brewery also commenced partial shipments of various products including Asahi Draft Beer and Asahi Dry Zero.
Read our analysis of the Jaguar Land Rover incident here.
To understand the attack on Asahi Group, we have to first understand the TTP of the Qilin ransomware group, the threat actor behind the incident. In a message posted on its website late evening on 7th of October, Russia-based Qilin claimed responsibility for the breach. This was just a week after the attack was reported. Qilin has become a major threat actor in the last few years accounting for as much as 48 percent of breaches reported in the last two years. The group has taken over the affiliate networks of defunct threat actors. It also works in close coordination with a known APT group based in the same region.
Qilin group TTP
A typical attack begins with a phishing email crafted cleverly to appear to emerge from a managed services provider. The e-mail is sent at a time when the target employees would be busy and not able to afford enough attention. The email spoofs an authentication alert asking employees to re-enter their log in credentials as part of an ongoing systems upgrade.
Once the employee clicks the link, they are redirected to a spoof website that appears genuine in every possible way. Once an employee enters their credentials on the spoof site, a multi-factor authentication is triggered through a one-time password (OTP). Once this is entered in the spoof site, the intrusion succeeds with the attacker getting credential based access to the network and additional systems.
The group is known to do extensive research and data ex-filtration on:
· Active vendor directory to identify all major vendors who are offering app or portal-based access to services
· Mapping admins and super admins to such applications in order to target them
· The group operates with plenty of diligence in terms of both identifying the target and the messaging
Once the threat actor gains access, a series of steps are triggered in the following sequence:
· Installing a remote desktop access application
· Multi-stage reconnaissance on target networks
· Exploiting CVEs
· Targeting backups for exfiltration
· Multi-loader based Ransomware deployment and publicly naming the victim
· Using pressure tactics to get the victim to pay ransom
· Sale of exfiltrated data
How did the cyber attack on Asahi Brewery happen?
We have no reason to believe that the threat actor would have chosen another path to data and ransomware deployment than the above in case of the Asahi brewery ransomware attack. Qlin group exfiltrated almost 27.3 GB of data (over 9673 documents) spread across disparate systems including HR documents (including confidential employee assessments), financial documents including legal information, contracts and internal team specific operational records. The group went after confidential reports and information of specific interest to investors and regulators in order to put more pressure on the Asahi Group Holdings to pay the ransom.
The threat actor also targeted multiple back-ups and the extent of the attack can be gauged by the fact that even the order booking system was down as late as last week and the company had to resort to taking orders via fax and documenting orders using pen and paper. At the time of writing this report, another Japanese company in the real estate sector was also attacked by Qilin. It is possible that both these events were coordinated through a known local affiliate of Qilin based in North Korea.
The malware deployed in the attack was NETXLOADER, a stealthy malware that rides on a .NET based malware loader. This loader can be used to execute multiple payloads and that explains why various departments within Asahi Brewery were breached. Further, phased execution also ensured a very high degree of stealth and the loader and the malware executed could have remained undetected for a fair amount of time.
Qilin targeted business critical systems and data to achieve its ransom goals faster.
How can incidents like the Asahi Brewery cyberattack be prevented?
· The logical place to start is employee sensitization. It is essential to ensure that employees are aware of the TTPs of threat actors like Qilin so that they do not fall for the techniques used by them.
· Building adequate segmentation between networks enables faster containment of threats
· Having back-up of back-ups both in terms of data and in terms of newer instances of applications that can come online in case of an incident. This works not just during a cyberattack but also during operational disruption caused by other factors
· Incident response simulation and training with active dry runs to test the accuracy and timeliness of response to a cyber incident is a must. Incident response readiness should also be regularly assessed from a playbook standpoint.
For a more detailed plan of action, reach out to our Incident Response Readiness assessment team here.
Download our SecOps Guide: ISA/IEC 62443 Compliance Strategy and Checklist here.
Get a free copy of Shieldworkz OT Cybersecurity Policy Template here
