Ransomware Gang Qilin Claims Hack That Hit Beermaker Asahi

A cohort of Russian-speaking hackers known as Qilin has claimed responsibility for a ransomware attack that hobbled Asahi Group Holdings Ltd.’s operations for more than a week.

The group stole roughly 27 gigabytes of data from Japan’s biggest beer brewer including financial documents, contracts, development forecasts and employees’ personal information, Qilin said on its website. Bloomberg was unable to verify the authenticity of the claims.

All of Asahi’s domestic plants are expected to be back online by Thursday, although output will be lower than usual, a spokesperson for the Tokyo-based company said. Information suspected to have been leaked through the hack has been found on the internet, Asahi said in a statement on Wednesday. The spokesperson declined to provide more details on the investigation.

The outage at Asahi was the latest in a global wave of cyber-incidents that have hit carmakers, financial firms and hospitals. The hack underscores Japan’s vulnerability to online attacks, where even brief halts can ripple from factory floors to store shelves and restaurants given the country’s intricate supply chains.

The beermaker was forced to halt production at most of its roughly 30 factories nationwide after the cyberattack paralyzed distribution last week. Employees have been processing orders over the phone and have had to limit orders to those for the popular Asahi Super Dry brew. The company, which first reported the hack on Sept. 29, expects to expand shipments to other products from Oct. 15.

That’s as Asahi’s domestic rivals Kirin Holdings Co., Sapporo Holdings Ltd. and Suntory Holdings Ltd. are fielding a surge in orders from restaurant operators and retailers to make up for any shortages. To secure adequate production capacity for its mainstay beers, Suntory said it’s scrapping the launches of two varieties of limited-edition beers in December.

Qilin has been active since mid-2022 and targeted more than a hundred companies in more than a dozen countries, according to a list of alleged victims on the gang’s website. The group has said it was involved in a $50 million ransomware hack on UK hospital lab-service provider Synnovis, which led to hundreds of canceled operations and outpatient appointments in 2024.

The group encrypts files on infected computers to prevent access. It also often steals data, which it then threatens to publish, if the target refuses to pay for the decryption key and opts to rebuild the computer system from a backup database. Such so-called double-extortion methods have become increasingly popular as a means to compel payments, according to Jon Clay, vice president of threat intelligence at Trend Micro.

It’s not clear if Qilin’s blog entry — which includes screenshots of data it says it stole from Asahi — means the brewer refused to pay a ransom.