Asahi Beer, a subsidiary of Japan’s Asahi Group Holdings, fell victim to a ransomware attack claimed by the **Qilin** ransomware group—part of the newly formed coalition with **DragonForce** and **LockBit**. The attack disrupted Asahi’s operations, with reports suggesting potential data exfiltration, including sensitive corporate and possibly customer information. While the full scope of the breach remains undisclosed, Qilin’s involvement signals a high-risk scenario, given the group’s history of targeting large enterprises for financial gain and reputational damage. The attack aligns with the coalition’s stated intent to escalate ransomware campaigns, leveraging combined resources to maximize pressure on victims. Asahi’s incident underscores the growing threat of RaaS (Ransomware-as-a-Service) collaborations, where groups pool expertise to bypass defenses and demand higher ransoms. The breach may have also exposed proprietary business data, supply chain details, or employee records, amplifying operational and legal risks. Asahi has not confirmed whether a ransom was paid or if data was leaked, but the attack reflects the broader trend of ransomware gangs targeting high-profile brands to extract concessions.
Source: https://www.theregister.com/2025/10/08/dragonforce_qilin_lockbit_collab/
TPRM report: https://www.rankiteo.com/company/asahigroup-holdings
"id": "asa1302113100925",
"linkid": "asahigroup-holdings",
"type": "Ransomware",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Beverage (Alcohol)',
'name': 'Asahi Beer',
'type': 'Corporation'},
{'name': '39 Unnamed Companies (via Salesforce '
'environments)',
'type': ['Corporation', 'Organization']}],
'customer_advisories': "Salesforce statement: 'Salesforce will not engage, "
"negotiate with, or pay any extortion demand.'",
'data_breach': {'number_of_records_exposed': 'Scattered Lapsus$ Hunters claim '
'~1 billion records '
'(unverified)'},
'date_detected': '2025-09-01',
'date_publicly_disclosed': '2025-09-01',
'description': 'Ransomware-as-a-service (RaaS) groups DragonForce, Qilin, and '
'LockBit announced a strategic collaboration to enhance their '
'attack capabilities and market dominance. The partnership, '
'proposed by DragonForce in early September 2025, aims to '
"create a 'coalition' or 'cartel' to maximize income and avoid "
"internal conflicts. The alliance follows LockBit's "
'reemergence with its LockBit 5.0 variant and seeks to restore '
'its reputation after a 2024 law enforcement takedown. While '
'no joint attacks have been observed yet, the collaboration is '
'expected to increase the frequency and effectiveness of '
'ransomware attacks, potentially targeting critical '
'infrastructure and low-risk sectors previously overlooked. '
'Separately, another cybercrime collective (Scattered Spider, '
"ShinyHunters, and Lapsus$ rebranded as 'Scattered Lapsus$ "
"Hunters') launched a new data-leak site targeting 39 "
"companies' Salesforce environments, claiming nearly 1 billion "
'stolen records.',
'impact': {'brand_reputation_impact': 'LockBit seeks to restore reputation '
'post-2024 takedown; potential '
'reputational damage to targeted '
'entities',
'operational_impact': 'Potential surge in ransomware attacks on '
'critical infrastructure and low-risk '
'sectors'},
'initial_access_broker': {'high_value_targets': ['Critical Infrastructure '
'(e.g., nuclear power '
'plants, '
'thermal/hydroelectric '
'plants)']},
'investigation_status': 'Ongoing; no confirmed joint attacks by '
'DragonForce/Qilin/LockBit as of report. Scattered '
"Lapsus$ Hunters' data-leak site active with "
'unverified claims.',
'lessons_learned': 'Collaboration among RaaS groups can amplify threat '
'capabilities, targeting critical infrastructure and '
'previously low-risk sectors. Law enforcement actions '
'(e.g., LockBit takedown) may temporarily disrupt '
'operations but fail to fully dismantle groups due to '
'decentralized structures and affiliate mobility.',
'motivation': ['Financial Gain',
'Market Dominance',
'Reputation Restoration (LockBit)',
'Collaborative Strength'],
'post_incident_analysis': {'root_causes': ['Decentralized RaaS affiliate '
'models enable rapid reformation '
'post-law enforcement actions.',
'Lack of international '
'coordination to permanently '
'dismantle cybercrime groups.',
'Financial incentives drive '
'collaboration among competing '
'threat actors.']},
'ransomware': {'ransomware_strain': ['LockBit 5.0',
"Potential future 'ShinySp1d3r RaaS' (by "
'Scattered Lapsus$ Hunters)']},
'recommendations': ['Monitor for joint operations by DragonForce, Qilin, and '
'LockBit, especially in critical infrastructure sectors.',
'Enhance defenses against social engineering (e.g., '
"Scattered Lapsus$ Hunters' tactics) and RaaS-based "
'attacks.',
'Prepare for potential ransomware-as-a-service '
"innovations (e.g., 'ShinySp1d3r RaaS').",
'Review third-party risk exposure (e.g., Salesforce '
'environments targeted by Scattered Lapsus$ Hunters).',
'Strengthen incident response plans for multi-group '
'cybercrime collaborations.'],
'references': [{'source': 'The Register'},
{'source': 'ReliaQuest Q3 2025 Ransomware Report'},
{'source': 'vx-underground (malware collector)'},
{'source': 'Telegram (Scattered Lapsus$ Hunters '
'announcement)'}],
'regulatory_compliance': {'legal_actions': 'Historical: 2024 law enforcement '
'action against LockBit (servers '
'seized, identity revealed)'},
'response': {'law_enforcement_notified': "Historical: LockBit's 2024 takedown "
'involved international law '
'enforcement (servers, domains, '
'decryption keys seized; '
"LockBitSupp's identity revealed as "
'Dmitry Yuryevich Khoroshev)'},
'threat_actor': ['DragonForce', 'Qilin', 'LockBit'],
'title': 'Collaboration of Ransomware-as-a-Service (RaaS) Groups: '
'DragonForce, Qilin, and LockBit',
'type': ['Ransomware Collaboration',
'RaaS Partnership',
'Cybercrime Alliance']}