Manual workarounds keep beer flowing after a crippling cyberattack
Asahi Group Holdings, Japan’s largest brewer, confronted a ransomware attack that knocked out ordering, shipping and parts of customer support across its domestic business at the start of the week. With core systems offline and email blocked from outside addresses, the company took an old school route to keep beer moving. Staff processed purchase orders by hand, filled paper forms, and sent instructions by fax to warehouses and distributors. The aim was clear, keep store shelves and pubs from going dry while engineers worked to recover the network.
- Manual workarounds keep beer flowing after a crippling cyberattack
- What happened and how ransomware shuts companies down
- Who is Qilin and what data the group says it stole
- Supply shock for retailers and restaurants
- Recovery status and what comes next for operations
- Why manufacturing cyber risk is rising
- How Japan is responding to cyber risk
- What it means for consumers and competitors
- Key Points
The disruption halted transactions and deliveries for top sellers including Asahi Super Dry and Mitsuya Cider. By Friday, limited shipments restarted after teams set up manual workflows, but the company warned that service would remain patchy while networks came back in stages. Six domestic breweries began to resume production on a limited basis, and call centers prepared reduced operations. Asahi also said it was checking signs of possible information theft linked to the attack.
Chief executive Atsushi Katsuki urged patience and stressed that supplying products would remain the priority while systems are restored.
Katsuki said: “We are making every effort to restore the system quickly while implementing alternative measures to ensure continued product supply.”
Convenience store chains that sell much of Japan’s beer flagged stock risks as the outage lingered. Seven & I Holdings, operator of the Seven Eleven chain, prepared notices to customers about suspended shipments. Rival chains Lawson and FamilyMart told shoppers some Asahi beverages, and store brand items produced with Asahi, could become scarce through the weekend. Restaurants shifted to other brewers where possible and switched from draft to bottles to stretch remaining inventory.
What happened and how ransomware shuts companies down
Ransomware is a form of cyber extortion. Attackers break into a company network, scramble files so they cannot be used, and demand payment to hand over a decryption key. Many groups add a second threat, they copy data and promise to publish it if the victim refuses to pay. The combination is often called double extortion. When an attack hits a company that runs 24 hour production and distribution, the effect is immediate. Logistics systems freeze, factory planning tools cannot see orders, and customer service goes silent.
In this case, Asahi confirmed its servers were hit by ransomware and said the failure was limited to operations in Japan. The company isolated affected systems to stop further spread, then began building manual workarounds to ship beer and soft drinks. That move reduced the blast radius of the attack, but it also slowed the business to human speed, with phone, fax and paper handling tasks that are normally automated.
In a notice to customers and partners, the brewer apologized for the disruption and said restoration work would continue until systems were safe to bring online.
An Asahi statement said: “We sincerely apologize for any inconvenience caused to our customers and business partners. We are actively investigating the cause and working to restore operations; however, there is currently no estimated timeline for recovery.”
Timeline of the outage
- September 29: A system failure in Japan halts order processing, shipments and call center operations.
- October 2: Production restarts at six domestic beer plants on a limited basis, and manual order handling by phone and fax expands.
- October 3: Asahi confirms ransomware caused the system failure and says traces of possible unauthorized data transfer are under investigation.
- October 4 to October 6: Limited shipments resume, call centers prepare partial service, and retailers warn of possible shortages.
- October 8: The Qilin ransomware group claims responsibility and posts samples of stolen files on a leak site. Asahi says it has found stolen data online and is investigating scope and notification needs.
The incident did not affect Asahi’s operations outside Japan. International brands in Europe and other regions continued to produce and ship as normal.
Who is Qilin and what data the group says it stole
A group calling itself Qilin claimed the attack. The operators posted samples on their leak site on the dark web and said they exfiltrated roughly 27 gigabytes of internal data. Listings described contracts, financial documents and employee related files. One post referenced 9,323 stolen files and displayed several dozen images of documents as proof. Asahi has since reported that stolen data from the incident was found online and said it would notify affected parties after confirming details.
Qilin is a ransomware as a service operation. The core group provides malware and infrastructure and shares proceeds with affiliates who break into targets. Security researchers say the group has focused on healthcare and manufacturing among other sectors and that it uses code families that run on Windows, Linux and ESXi servers. The crew often follows the double extortion model, pressuring victims by both encrypting systems and threatening to release data if ransom demands go unpaid.
Supply shock for retailers and restaurants
Convenience store chains, a backbone of beverage sales in Japan, were among the first to feel the strain. At Seven Eleven, shoppers saw notices about suspended deliveries of Asahi Super Dry and some soft drinks. Lawson and FamilyMart warned that several Asahi items could be scarce from Friday. Private label products developed jointly with retailers also faced pauses, including Seven Premium Clear Cooler chuhai and bottled teas sold under chain brands. Some stores limited purchases, and operators said they were preparing substitute items.
Restaurants that rely on fast moving keg and bottle deliveries did what they could to bridge the gap. Marugen Ramen said shipments of draft and bottled beer from Asahi had stopped and that it would move to other suppliers once stock ran out. Kisoji, known for shabu shabu, shifted from draft to bottles and sourced from other brewers to keep service running. Some izakaya pubs warned patrons that Asahi drafts could run out if the outage stretched further.
A spokesperson for Seven & I Holdings, which operates Seven Eleven, said the company moved to manage expectations during the disruption.
The spokesperson said: “We are preparing to warn customers about suspended shipments. At this stage, there are no major disruptions.”
Retailers also referenced other Asahi beverages beyond beer. Mitsuya Cider faced short term supply pressure and some chain exclusive products went on hold. The ripple effect extended to nonalcoholic lines and food items manufactured at the company’s domestic plants.
Recovery status and what comes next for operations
Asahi restarted all six of its domestic beer plants on a limited basis, prioritizing core products and large customers while manual processing remained in place. Orders were handled by phone and fax, with shipping teams focusing on existing commitments and high volume routes. The brewer also began to restart soft drink production at select sites, preparing other plants as systems came back. The company said a full restoration timeline was still uncertain and that some systems would remain offline until checks were complete.
Competitors adjusted to the surge in demand. Kirin, Sapporo and Suntory redirected supply to restaurants and stores where practical, while cautioning that logistics capacity and contracts would limit how much they could fill. Analysts said the incident could weigh on fourth quarter earnings for Asahi if out of stock penalties or extended outages accumulate, though the early restart of production helped limit damage.
Why manufacturing cyber risk is rising
Brewing today relies on a dense web of digital tools. Production lines are controlled by sensors and industrial software, warehouse robots follow instructions from planning systems, and delivery fleets depend on connected schedules. This is the domain of operational technology, the equipment and software that runs factories and logistics. When attackers jump from corporate networks into these environments, the effect is not just lost files. The physical process can slow or stop.
Industry data shows attackers increasingly aim at manufacturing, especially in Asia Pacific. One threat intelligence report estimated that manufacturing accounted for a large share of attacks in the region this year, ahead of sectors such as finance and transportation. Specialists point to legacy controllers connected to modern networks, unpatched interfaces at the edge of factories, and third party tools that link corporate and industrial systems. A single weak point can give attackers deep access to production, ordering and shipping.
OT and IT convergence in brewing
Breweries illustrate the challenge. A modern plant runs a precise fermentation schedule, tracks tank temperatures, moves bottles and cans through fillers and palletizers, then hands off to enterprise tools that plan inventory and delivery. Each link is digital. When order entry and routing systems fell during the Asahi attack, breweries could not see what to make or where to send it. The company turned to phones and fax machines to approximate that planning. Security experts often recommend segmenting factory networks from corporate IT, limiting remote access, monitoring for abnormal behavior and training staff to spot phishing. Those steps add barriers that make it harder for intruders to pivot from email to equipment.
How Japan is responding to cyber risk
Japan has faced a rise in ransomware incidents. The National Police Agency reported more than two hundred ransomware cases in 2024, an increase from the prior year, and a survey found that in nearly half of cases it took at least a month to recover lost data. A new law passed in May gave authorities broader powers to disrupt cyber criminals and to work with the private sector on prevention and response. The move reflected growing concern that digital attacks could spill over into daily life.
Itsunori Onodera, who chaired a key policy research council during the debate, stressed that stronger defenses are now a matter of public safety.
Onodera said: “Without an urgent upgrade of the nation’s cyber security, the lives of Japanese people will be put at risk.”
That message resonates with events at major companies in recent months. High profile incidents at automakers and retailers showed how a single breach can ripple across supplier networks and shut plants for days or weeks. The Asahi case adds beverage production and distribution to that list and underscores why resilience planning now extends well beyond data privacy to the nuts and bolts of business continuity.
What it means for consumers and competitors
Shoppers felt the effect first in convenience stores and casual restaurants, where the turnover of beer and soft drinks is rapid. Many buyers will switch to Kirin, Sapporo or Suntory when a favorite lager is missing. Some will wait for Super Dry to return, a sign of how loyal many drinkers are to its taste. Bars and izakaya that rely on kegs may run through stock faster than grocery stores, since draft volumes require frequent deliveries. Asahi’s manual workarounds are keeping product moving, yet the pace is slower than normal. That makes the next several days a balance between supply trickling in and demand that rarely slows.
Key Points
- Asahi confirmed a ransomware attack disrupted its domestic systems, halting orders, shipments and parts of customer support in Japan.
- To keep products moving, staff processed orders by hand and used fax, while engineers worked to restore systems safely.
- Limited shipments resumed and six domestic beer plants restarted production on a restricted basis, with orders handled by phone and fax.
- Convenience stores warned shoppers about possible shortages of Asahi Super Dry, Mitsuya Cider and several chain exclusive beverages.
- Restaurants switched to other brewers where possible and shifted from draft to bottled beer to stretch remaining stock.
- The Qilin ransomware group claimed responsibility and said it stole about 27 gigabytes of data, posting samples on a leak site.
- Asahi said stolen data from the incident was found online and that it is investigating scope and notification needs.
- International operations were not affected, and brands outside Japan continued to produce and ship as normal.
- Manufacturing remains a prime target for ransomware in Asia Pacific, where legacy industrial systems often connect to modern IT.
- Japan strengthened cyber authorities in May after a rise in ransomware cases, reflecting concern over risks to daily life and supply chains.
