Japan’s largest brewery faces extended ransomware recovery, delaying earnings.
When Japan’s largest brewery, Asahi Group Holdings, suffered a debilitating ransomware attack in September this year, the group did not anticipate that post-attack recovery would take more than two months.
On 27 November 2025, the firm had to announce it could not release earnings results for the fiscal year ending 31 December 2025, due to the protracted business disruptions.
The cyberattack, attributed to the Russian-based Qilin ransomware group, has crippled the group’s Japan operations, disrupted order processing and logistics.
Experts analyzing the prolonged recovery time point to several factors:
- Asahi took roughly two months just to contain the ransomware, carry out forensic investigations, and implement enhanced security measures before cautiously resuming system restoration. The need to prevent malware spread to suppliers and customers had been the cause of the significant slow recovery.
- Further complicating the recovery was the ransomware’s use of sophisticated tactics, which involve persistent backdoors, and require complex processes for terminating antivirus processes, rebooting infected systems in safe mode, deleting Windows shadow copies, and clearing event logs.
- Overall business disruptions of automated manufacturing operations had force the use of manual interventions that slowed logistics and production.
Atsushi Katsuki, CEO of Asahi Group Holdings, had confirmed the group’s refusal to engage with ransom demands, describing the hack as a “sophisticated and cunning attack beyond our imagination.”
Industry observer commentaries
Weighing in on the incident, Rebecca Moody, Head (Data Research), Comparitech, highlighted the attackers’ use of advanced tactics such as persistence and defense evasion, noting the high sensitivity of the stolen data despite the relatively modest data volume. “Qilin’s breach included critical financial documents and employee data, underscoring the serious exposure even ‘small’ ransomware attacks can cause.” Attackers’ capabilities to repeatedly breach and encrypt data could obscure their true impact on victim organizations’ operations.
According to Takanori Nishiyama, SVP (APAC) and Country Manager (Japan), Keeper Security, the incident underscores growing cyber risks facing Japan’s manufacturing sector: “Cybercriminals are exploiting legacy systems, unmonitored endpoints, and privileged accounts to disrupt operations and extort payments,” and recommended firms in the country to adopt Zero Trust security to mitigate identity-based vulnerabilities that often serve as an entry point for such attacks.
Other expert analyses also note that Asahi’s recovery was delayed by underlying sector-wide vulnerabilities in Japan, including legacy operational technology, gaps in identity and access management, limited incident response readiness, and generally underdeveloped cybersecurity posture in Japanese manufacturing firms. The incident has exposed those weaknesses sharply, leading to a painful but necessary rebuilding phase focusing on resilient infrastructure rather than hasty restoration.
