The Qilin ransomware group has claimed responsibility for the cyber-attack on Japan’s Asahi Group and says it has stolen sensitive data from the firm.
Consumer website Comparitech revealed that the notorious actor had listed Asahi on its data leak site on October 7, claiming to have stolen 27 GB of files from the company.
The data allegedly includes personal details of employees, as well as sensitive Asahi business information. This includes financial documents, budgets, contracts, plans and development forecasts.
Asahi has not responded to Qilin’s claims at the time of writing.
The update comes just days after Asahi confirmed it had fallen victim to a ransomware attack, which had resulted in an “unauthorized transfer of data” from its servers.
The attack has caused significant operational disruption at the brewer, with order and shipment operations in Japan immediately suspended as the company mounted its response. Additionally, call center operations, including customer service desks, were suspended.
Asahi is in the process of resuming operations, including launching manual order and shipping processes.
The Tokyo-based firm owns a range of well-known global drinks brands, both alcoholic and non-alcoholic, as well as food products.
Its five beer brands are Asahi, Peroni, Kozer, Pilsner Urquell and Grolsch. It also owns UK-based brewery Fullers.
Qilin Leading the Way in Ransomware
The Qilin gang has emerged as the most prolific ransomware actor in an increasingly crowded marketplace in recent months.
ZeroFox’s Q3 2025 Ransomware Roundup report found that Qilin claimed responsibility for the highest number of attacks in the quarter, at 227.
NCC Group reported that Qilin made up 16% of all ransomware attacks in August 2025, making it the most active threat group in the month.
According to Comparitech, Qilin has taken credit for three other confirmed ransomware attacks on Japanese companies this year: Shinko Plastics in June, Nissan Creative Box in August and Osaki Medical in August.
Read now: Qilin Claims Ransomware Attack on Mecklenburg Schools
The ransomware-as-a-service (RaaS) operator provides ransomware tools and infrastructure to affiliates, taking a 15–20% share of the ransom payments.
It explicitly instructs its affiliates not to target systems located in countries part of the Commonwealth of Independent States (CIS), including Russia and Belarus.
It reportedly operates a technically mature infrastructure, with custom-built malware written in Rust and C for cross-platform attacks, including Windows, Linux and ESXi systems.
Image credit: Shaun in Japan / Shutterstock.com
