Real-world analysis of operational impact and recovery after a large-scale ransomware attack: the Asahi case

On September 29, 2025, Asahi Group Holdings, Japan’s largest beer and beverage producer, with global brands like Asahi Super Dry, Peroni, and Grolsch, suffered one of the most disruptive security incidents of the year. A ransomware attack attributed to the Qilin group not only encrypted critical systems and interrupted operations, but also triggered days of manual processes, significant financial delays, and a recovery effort still ongoing as of early 2026.

Beyond headlines about a possible “beer shortage”, this case exposes the real dynamics organizations face after a major attack, from initial containment to staggered recovery, management of exfiltrated data, and live restructuring of business processes.

Timeline of the Disaster: What Happened and How It Unfolded

The attack began on the morning of September 29, when Asahi teams detected that multiple internal systems showed signs of massive encryption and malfunction of critical services. The company isolated networks and data centers within the first 4 hours, but not before the attacker had deployed the ransomware payload and, as later forensic analysis confirmed, exfiltrated sensitive data through covert channels.

This vector, a combination of initial intrusion followed by lateral movement and simultaneous ransomware deployment across several servers, is characteristic of the sophisticated double-extortion campaigns that have dominated 2025: attackers encrypt data and exfiltrate information before containment can cut off the network.

Immediate Impact

• Automated logistics and order systems down: Asahi suspended all order processing and shipping operations in Japan, directly affecting its national supply chain.
• Customer service disconnected: Call centers and CRM systems were inaccessible, forcing the company to resort to manual communication and request processing.
• Production halted: Although physical factories were not technically infected, their reliance on IT systems for coordinating production orders, logistics, and interdependent supply chains caused up to 30 domestic plants to stop production at various points.

This simultaneity of disruptions demonstrates that for organizations with highly digitized processes, a ransomware attack is not just a tech problem, it’s a structural business crisis.

Scope of the data breach: numbers and technical reality

Following forensic investigation, Asahi confirmed that approximately 1.9 million personal records were potentially exposed due to exfiltration prior to encryption. This included:

• 1,525,000 customers who had interacted with customer service
• 107,000 current and former employees
• 168,000 family members related to employees
• 114,000 external contacts, such as business partners or corporate communications recipients

The compromised data was mostly identification and contact information (names, addresses, emails, and phone numbers). There were no indications of credit card or financial data being accessed at this time.

While there’s no public confirmation that the data has been published online, its presence in malicious actors’ hands significantly complicates identity management and reputation risk, even after containment.

Response phases: from containment to staggered recovery

Asahi’s incident management was deliberate and structured, though not without challenges:

1. Immediate containment

Upon detecting the attack, Asahi activated an Emergency Response Center, isolating systems, cutting off critical internal connections, and blocking external access tolimit lateral ransomware propagation. This step, though essential, left entire business functions offline, such as order automation and customer service.

2. Manual operations

With automated systems down, the company shifted to manual processes using paper and fax for orders and communications. This dramatic rollback to 20th-century tools to support 21st-century functions highlights how deep the automation dependency runs, and the cost of lacking well-tested business continuity plans.

3. Staggered service restoration

Recovery officially began in December 2025, with a progressive reactivation of order, logistics, and internal communications systems, only after verifying the integrity and cleanliness of each affected segment. Asahi projected full logistics operations would return to normal by February 2026, implying a recovery period of 4–5 months from the incident’s onset.

4. Financial and compliance delays

The technical impact translated into accounting and regulatory delays: Asahi postponed its Q3 2025 financial results by over 50 days due to its inability to access accounting and consolidation systems during the critical fiscal close.

Quantifying economic and operational impact

The attack’s effects quickly spilled into business results:

• October 2025 sales dropped between 10% and 40% compared to the same period in the previous year, according to internal estimates based on production levels and manually processed orders.
• Heavy reliance on manual processes increased direct operational costs through additional human resources and overtime, on top of the indirect losses caused by inefficiency. The total productivity loss, though not publicly quantified, is estimated to be in the multimillion-dollar range when factoring in logistics, sales, and technical recovery.

Technical intrusion analysis and operational lessons

Tactics, Techniques, and Procedures (TTPs) used by Qilin included:

• Initial compromise via poorly secured remote access or credentials. Cybersecurity experts point to commonly exploited entry points such as unsecured services, weak-MFA VPNs, or reused credentials.
• Fast lateral movement within the corporate network. The simultaneous encryption of multiple servers indicates the attacker had deep control over the environment before detection and isolation.
• Pre-encryption data exfiltration. Extracting data before ransomware deployment maximizes extortion leverage and complicates forensic response.

Structural Lessons

1. Automation without resilience is a trap: Full IT reliance for logistics and production can turn failures into catastrophic events.
2. Staggered recovery is safer than “all or nothing”: Phased restoration with integrity checks lowers the risk of reintroducing persistence vectors.
3. BCP and DR plans must be real: Organizations must test scenarios involving double-extortion ransomware and manual fallback processes, just like they do for datacenter failovers.
4. Risk management must include privileged access and identity evaluation: Credential hygiene and hardened remote access are critical business controls, not optional extras.

Asahi’s response review: a critical evaluation

In incidents of this scale, hindsight makes criticism easy, but Asahi’s handling reveals both maturity and areas for improvement:

What went well

• Fast network isolation: Timely containment helped avoid broader spread and limited the attack to specific systems.
• Staggered recovery: Phased reactivation allowed for workload verification before reintegration into the enterprise environment.
• Clear and transparent public communication: Including formal apologies and explanations of the technical impact, helping retain customer and partner trust.

What was exposed as weakness

• Insufficient credential hygiene: Analyses point to poor password rotation and reuse as likely factors in the initial compromise.
• Incomplete network segmentation: The ability to move laterally between segments hosting critical functions suggests microsegmentation and OT/IT separation were not fully implemented.
• Extensive reliance on outdated manual processes: Falling back on paper-based operations shows that business continuity plans were neither detailed nor tested enough.

Strategic and operational conclusion for CISOs

The September 2025 ransomware attack on Asahi Group Holdings is more than a headline, it’s a masterclass in how a cybersecurity incident can evolve into a multidimensional business crisis. From halting core systems that run entire supply chains to leaking contact data for millions, this case proves:

• Incidents don’t end when the encryption stops: Recovery, reconnection, integrity verification, and business process rebuilding take months.
• Technical response and business resilience go hand in hand: An incident response plan without a validated business continuity plan is a high-impact risk.
• Security culture must reach every level: From password hygiene to crisis planning, resilience is organizational, not just technical.

For any CISO, Asahi’s experience is a stark reminder: no matter how big or sophisticated your organization is, without a comprehensive, rehearsed cyber resilience strategy, even your most critical systems can become systemic points of failure in the face of advanced ransomware adversaries.

Cosmikal: robust segmentation, privileged access control, and credential protection as the core of resilience

Asahi’s attack shows that surface-level segmentation or static microsegmentation is not enough if privileged access and credentials aren’t also hardened. Modern attackers exploit these exact vectors: poorly protected credentials, persistence via excessive privileges, and connections that expose data or allow silent lateral movement.

Cosmikal’s solutions, particularly Endurance, address these three strategic pillars through a technical approach that goes far beyond traditional access control. Endurance is a Remote Shielded Workspace (RSW) that operates as a secure connection broker, mediating all privileged sessions without directly exposing critical assets.

Endurance manages credentials through its integrated encrypted vault, enforcing strict policies for usage, expiration, and full traceability. During session establishment, credentials are used in a controlled manner within Endurance’s secure perimeter, without being disclosed to the user or stored on the endpoint. As a result, credentials are never exposed outside centralized control and cannot be captured by malware, keyloggers, or malicious actors, effectively eliminating one of the most common attack vectors in privileged environments.

Interaction flows do not involve transferring sensitive data between server and endpoint. Only input/output events (keyboard, mouse, video, audio) are transmitted. Even if the endpoint is compromised, no protected data or executable commands are exposed, eliminating exfiltration risks at the root.

Segmentation in the acces model

Meanwhile, every connection is recorded, audited, and precisely traceable, simplifying compliance with NIS2, ENS, and other demanding frameworks, while providing verifiable evidence for audits or investigations.

Segmentation is implemented not just at the network level but within the access model itself: each session is governed by policies that limit scope, duration, and permissions based on role, identity, and context. This ensures that a technician or operator can only see and act on exactly what the security policy allows, no lateral movement, no unauthorized escalation.

This holistic approach (effective segmentation, privileged access control, encrypted credential vaults, and VDI with controlled interaction events) transforms organizational resilience. Companies move beyond reactive defenses like patching or firewalls and gain an access and operations architecture designed for secure continuity. This drastically reduces ransomware propagation, eliminates exfiltration vectors, and ensures ongoing operations even under sophisticated threat scenarios. In a world where attacks combine encryption, data theft, and lateral movement, this model elevates security from a technical layer to a strategic pillar of business continuity.