Anatomy of a cyberattack with a hangover: How Japan was left without beer

Getting a beer has been difficult recently in the world’s fourth-largest economy, and Japanese bars, restaurants, and liquor stores have had a rough October. Asahi beer, the most-consumed in the country with a 40% market share, has been in short supply for two weeks due to a cyberattack that paralyzed production and shipments. This, in turn, left competitors like Kirin and Sapporo unable to keep up with demand and forced them to stop accepting orders from establishments seeking alternative brands.

On September 29, a ransomware attack claimed by the Russia-based Qilin group forced Asahi to close six factories and 30 other facilities. These types of attacks are carried out with malicious software that encrypts and locks systems until a ransom is paid. With computers paralyzed, the company had to temporarily revert to manual processes for order fulfillment and logistics. Everything was managed for two weeks with pen and paper, notifying customers by fax when trucks were ready to leave the warehouse.

The incident made it virtually impossible to maintain normal merchandise flows, and store shelves were empty within two days. The same thing happened in the hospitality sector: Japan’s favorite beer soon stopped being served. Asahi’s headquarters also lost the ability to receive emails, according to the company. And it had to postpone the presentation of its quarterly results.

Activity gradually resumed, starting with the group’s flagship beer, Super Dry, until all breweries had reopened by October 10, albeit at reduced capacity. The company has not yet confirmed a return to normal operations. “I would like to express my sincere apologies for any difficulties caused to our stakeholders by the recent system disruption. We appreciate your understanding and support,” said Atsushi Katsuki, the group’s president, in a statement.

The Asahi Group produces beer, but also soft drinks, food, and spirits. The cyberattack affected Japan, but not Europe, where it owns beverage brands such as Peroni, Pilsner Urquell, Grolsch, and Fuller. Losses resulting from production disruptions are estimated at around $335 million; 27 gigabytes of data were stolen, some 9,300 files, including financial documents and budgets, confidential contracts, planning and development forecasts, and internal reports, as well as personal employee information. The Qilin Group posted only a few samples on the dark web.

Fake Captchas

How did hackers manage to leave Japan without beer? “The attackers executed a highly sophisticated campaign, where a variant of Linux ransomware infected Windows systems by using legitimate remote network management tools,” explains David Sancho, senior threat researcher at Trend Micro. They accessed the brewery’s network using fake Captchas — those mechanisms that test the patience of users, who have to click on photos that show a car, for example, to prove they are not a machine. Clicking on the Captcha boxes, which appeared on the computers of key Asahi employees, “installed malware that stole network passwords, allowing them to be used for the rest of the attack. During this, backups and disaster recovery systems were disabled,” Sancho adds.

Once inside the systems, the attackers searched undetected for sensitive data to encrypt and exfiltrate. As soon as they downloaded it, they locked the systems and demanded a ransom. But the extortion is twofold. “Researchers who held private conversations with Qilin operators discovered that, in addition to demanding a ransom, they also tried to sell the stolen data to Asahi for $10 million. This demand was received on October 11, likely as a tactic to cut out intermediaries and increase the pressure on the victim,” notes Nethaniel Ribco, global head of cyber threats at UST CyberProof.

The Qilin group takes its name from a Chinese mythological creature with the body of a lion, the scales of a fish, and the antlers of a deer, from which flames emanate. But it is not an Asian organization. The fact that its code is written in Russian and that its affiliates’ attacks avoid targets located in the Commonwealth of Independent States suggests a Russian origin. “There are several indications that point to some kind of relationship with other Russian cybercriminal groups such as Scattered Spiders, or North Korean groups,” says Josep Albors, director of research and awareness in Spain for the cybersecurity company ESET.

Until it launched the attack on Asahi, its biggest victim had come in June 2024, when it extorted the British medical company Synnovis, which provides diagnostic and pathology services to several London hospitals. Qilin demanded a $50 million ransom to prevent the release of the 400 gigabytes of data it had stolen. The attack led to the cancellation of more than 6,000 medical appointments and a shortage of blood donations.

Industrialization of ransomware

There’s something that sets Qilin apart from other cybercriminal groups: they offer their malware to any hacker who manages to gain access to a corporate network, and then split the ransom payments. “They provide affiliates with all the necessary tools and infrastructure to launch attacks, and in return, they pocket between 15% and 20% of the ransoms paid,” says Eusebio Nieva, technical director of Check Point for Spain and Portugal.

Providing those who open a company’s door with the tools to steal whatever is inside, just like hiring a plumber or a lawyer, allows Qilin to industrialize the ransomware business and gain scale. “They operate with a program we call ‘Ransomware as a Service,’” explains Sancho, from Trend Micro, the lab that discovered this criminal group in August 2022.

This modus operandi has allowed Qilin to become one of the leading international threats in the ransomware sphere. In the third quarter of 2025, at least 402 successful attacks were recorded, according to Trend Micro analysts, representing 21% of the total. “Qilin is one of the most active groups currently. Among its strengths, we observe that it is a multi-platform ransomware, since attacks have also been observed against Linux servers in addition to Windows systems. It has gained some notoriety for exploiting vulnerabilities in network devices, such as routers and firewalls,” notes Albors.

Another of this group’s strengths is that, to date, it has managed to remain very elusive. “Qilin’s infrastructure is designed to withstand scrutiny: they maintain leak sites and command centers hosted on shutdown-proof services, often in countries that do not cooperate with investigations,” says Hervé Lambert, global head of consumer operations at Panda Security.

Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition