Qilin, a ransomware group with a track record of cyberattacks on major entities around the world, claimed responsibility on Tuesday for a hack on Japan’s Asahi Group Holdings 2502.T that disrupted production at the beer and beverage giant.
Asahi Group’s beer-making subsidiary, Asahi Breweries, said on Monday it had restarted production at its six Japanese beer plants on October 2. It first said it had been hacked on September 29.
Qilin, which operates a ransomware-as-a-service platform that allows users to carry out attacks in exchange for a percentage of extortion proceeds, posted 29 images to its website on Tuesday of what the group claims to be internal Asahi Group documents.
Read more: Asahi Suspends Some Beverage Shipments After Hit by Cyberattack in Japan
The group claims to have stolen more than 9,300 files, or roughly 27 gigabytes of data, according to the entry on its website.
Reuters could not immediately verify the authenticity of the documents.
An Asahi Group Holdings spokesperson said in an email late Tuesday that the matter was still under investigation and the company declined to comment on Qilin’s claims, or any details about extortion demands or negotiations.
Qilin did not respond to a request for comment.
Qilin has been a prolific ransomware service since first emerging in 2022 with 870 claimed attacks, according to data compiled by eCrime.ch, a cybercrime research platform.
The group was behind the June 2024 hack of British diagnostic services provider Synnovis, which officials said in June 2025 contributed to the death of a London hospital patient.
(Reporting by AJ Vicens in Detroit; additional reporting by Raphael Satter in Washington and James Pearson in London; editing by Sharon Singleton and Jamie Freed)
The service has generated for its small group of operators at least $100,000 in cryptocurrency payments since launching in July 2024, Masada said in the blog.
Microsoft said the seizure of the websites occurred over a period of days earlier this month.
Microsoft identified Nigeria-based Joshua Ogundipe as the leader and main operator of Raccoon0365. Ogundipe did not immediately respond to an email request for comment sent to the email address identified by Microsoft in its court filing.
“Cybercriminals don’t need to be sophisticated to cause widespread harm,” Masada said. “Simple tools like Raccoon0365 make cybercrime accessible to virtually anyone, putting millions of users at risk.”
Raccoon0365 subscribers have targeted a wide swath of industries, Masada said, and separate court filings allege that “a significant portion” of Raccoon0365 activity targets organizations based in New York City.