AI Autopsy: Asahi Beer Runs Dry After Ransomware Breach

It’s time for an Asahi post-mortem. Phil Muncaster investigates the ransomware attack that threatened a ‘Dry Christmas’ for Japanese beer lovers

For the country that gave the world sake, it may be surprising to learn that beer is by far the most popular alcoholic drink in Japan. And everyone seems to have their favourite brand. But what happens when the booze runs dry? That was the nightmare scenario facing Asahi Group Holdings when ransomware struck in late September.

Now that we know more about the breach and the steps the firm has taken to prevent a similar incident in the future, there’s plenty for CISOs to mull over.

Super Dry off the menu

Although the incident was first discovered and reported by Japan’s biggest brewer on September 29, the details have remained largely hidden until recently. What we now know is that Asahi discovered a “disruption” in its systems at 7am local time that day. It pulled the plug on the corporate network four hours later, after discovering that some files had been encrypted.

An investigation subsequently revealed that threat actors gained unauthorised access to the firm’s data centre network via unspecified “network equipment” at a corporate site. “Ransomware was deployed simultaneously, encrypting data on multiple active servers and some PC devices connected to the network,” Asahi said.

“We must reframe cyber threats in terms boards understand – operational continuity, financial exposure, regulatory risk, and brand trust”Andy Sharma

At the end of November, Asahi reported that data on as many as 1.9 million individuals may have been compromised after being exposed via these “company-issued PCs” and data centre servers. It includes names, gender, home and email addresses of employees and family members, as well as consumers who have contacted the firm’s customer service. Individuals whom Asahi had sent “congratulatory or condolence telegrams” to were also impacted.

“The Asahi breach reflects what we continue to see across the industry: once attackers establish a foothold – whether through a compromised identity, vulnerable device, or weakly segmented network – they can move laterally far faster than many organisations can detect,” Abnormal AI field CISO, Mick Leach, tells Assured Intelligence.

“The simultaneous deployment of ransomware across servers and endpoints, and the exposure of data from company-issued devices, mirrors patterns that are increasingly common in modern enterprise incidents.”

Although the brewing giant has been tight-lipped over which group was responsible, reports suggest the prolific Russian outfit Qilin was to blame. It claimed to have exfiltrated over 9,300 files totalling 27GB of data, some of which were published on its leak site and included financial documents, employee IDs, and confidential contracts.

Counting the cost

Qilin claims the attack would cause Asahi to lose $200- $335m due to production outages at its six breweries in the country, affecting 30 brands. In reality, the facilities were restarted a week later, although local reports claimed that supplies of its leading “Super Dry” brand had run out in bars across the country. The firm was forced to implement a manual ordering system, and it’s unclear how long production will take to recover fully.

What we do know is that Asahi was forced to delay several and postpone its Q3 financials due to the incident. October beer sales dropped 10% year on year, while sales of its popular soft drinks plunged 40% annually. By contrast, arch-rivals Kirin Holdings reported a 19% revenue spike and Sapporo Breweries a 13% volume increase in beer sales in the same month.

Aside from the potential long-term reputational damage this outage caused, there will also be more immediate costs associated with customer and regulator breach notifications and additional spending related to IT incident response and recovery. IBM estimates the average total breach cost at $4.4m globally, dropping to $3.7m in Japan.

The road to recovery

Asahi says it spent about two months containing the ransomware attack, restoring systems, and enhancing security to prevent a similar incident from occurring again. Experts Assured Intelligence spoke to were largely supportive of these measures (see boxout). They suggested the following takeaways:

Prioritise monitoring and containment

The fact that this breach was only discovered once data was being encrypted suggests that earlier stages of the attack went undetected,” Avanade global security practice technology lead, Jason Revill, tells Assured Intelligence.

“CISOs should prioritise monitoring solutions capable of detecting unusual behaviours and pair this with automated playbooks that can isolate compromised endpoints or entire network segments within seconds. This level of containment is essential to prevent attackers from moving laterally and deploying ransomware across the network.”

“The Asahi breach reflects what we continue to see…once attackers establish a foothold, they can move laterally far faster than many organisations can detect”Mick Leach

Abnormal AI’s Leach adds that meaningful insights CISOs need can be achieved by baselining normal user, device, and partner behaviour, identifying deviations in communication patterns, authentication flows, and privilege usage, and then correlating identity signals across systems.

“Asahi’s decision to disconnect their network the day encrypted files were discovered likely prevented far greater damage,” he continues. “Being able to isolate quickly requires: practised and well-understood playbooks; clear authority to act; and confidence in operating in a degraded mode while containment is underway.”

Tighten identity and access pathways

Asahi’s plans to redesign its network controls are also welcomed by experts. “Measures such as implementing well-designed and monitored networks with clearly understood and documented topologies enable teams, when under pressure, to understand how the network connects and communicates and spot anomalies,” Immersive head of SecOps, Kevin Marriott, tells Assured Intelligence.

Abnormal AI’s Leach adds that corrective actions like this follow many large-scale incidents.

“Modern adversaries rarely begin at core systems; they exploit whichever trust boundary is weakest,” he says. “For CISOs, the takeaway is clear: segmentation must be identity-aware; external communication paths should be treated as high-risk zones; and access patterns require continuous behavioural validation.”

Training must evolve

There’s no indication social engineering played a part in the breach, but Asahi has nonetheless vowed to improve its security awareness programmes. That’s a wise move, according to Avanade’s Revill.

“Security breaches often tie back to human error, so fostering a security-aware culture is as important as strong technical defences,” he argues. “Mandating a certain number of training hours or some cybersecurity awareness sessions can significantly reduce the risk of future breaches.”

Unfortunately, many existing programmes are too compliance-driven, unengaging and ineffective at changing real-world behaviour, argues Abnormal AI’s Leach. “Modern training programs need to be continuous, not annual, and personalised based on job function, behavioural patterns, and actual exposure,” he continues. “They should also be contextual and just-in-time, offering coaching at the moment risky behaviour occurs.”

Recovery and continuity planning must assume systemic impact

It goes without saying that CISOs must prepare for the worst. But Asahi’s predicament shows that such plans often fall short. Backup strategies should therefore include “fully isolated ‘lifeboat’ environments” to ensure continuity in the event of a serious ransomware breach, Avanade’s Revill suggests.

Abnormal AI’s Leach adds that organisations must also plan for recovery scenarios in which identity systems require full validation. “Continuity planning must account for broad, multi-system degradation—not isolated service failures,” he says. “Recovery is not simply about restoring data, but re-establishing trust across the environment.”

CISOs must remind the board that cyber risk is business risk

Finally, there are strategic lessons for security leaders to learn from the Asahi breach, according to Andy Sharma, CISO at Redwood Software. They should always position cyber as a business risk – as is clear from the impact of the incident on operations, supply chains, production, financial reporting, reputation and more.

Arch-rivals Kirin Holdings reported a 19% revenue spike and Sapporo Breweries a 13% volume increase in beer sales

“We must reframe cyber threats in terms boards understand – operational continuity, financial exposure, regulatory risk, and brand trust. This requires moving away from technical language and towards business-aligned risk metrics and scenarios,” he tells Assured Intelligence. “A CISO’s responsibility is not only to defend systems, but to ensure leadership truly understands the organisational impact of a cyber incident before one happens.”

Strong cyber defence must be built on an enterprise-wide model which extends beyond IT to OT, network equipment, logistics, third-party environments, and shadow IT, Sharma adds.

“This requires the CISO to partner more deeply with operations, engineering, supply chain, HR, finance, and procurement. It also requires boards to recognise that cybersecurity investment is not just about firewalls and endpoints – it is about protecting the entire operational ecosystem,” he concludes. “CISOs must educate boards that resilience cannot be siloed. Cyber risk is systemic.”