Asahi cyberattack exposes food industry’s growing ransomware crisis

Ransomware attacks on F&B companies surged in 2025, shutting down factories, halting distribution networks, and costing major players hundreds of millions of dollars in lost sales. The trend poses direct risks to ingredient supply chains, food safety systems, and regulatory compliance — and most of the sector remains unprepared.

Japanese beverage giant Asahi Group Holdings published its delayed third-quarter 2025 financial results on March 10 after a ransomware attack in September knocked out the company’s financial reporting systems for months. The attack, attributed to the Qilin ransomware group (a Russia-linked operation that uses double-extortion tactics, encrypting systems while threatening to publish stolen data), encrypted servers across Asahi’s data centers and disrupted ordering, shipment, and production systems at its 30 Japanese factories. 

Asahi estimates the direct financial impact at JPY5 billion (US$31.4 million) in lost revenue and JPY2 billion (US$12.6 million) in lost profit. Its Japan and East Asia segment profits fell 3.1% year-on-year to JPY100 billion (US$627.3 million), while group core operating profit dropped 4.6% to JPY202.4 billion (US$1.26 billion) on a constant currency basis.

“We thought we had taken necessary and sufficient measures. However, this attack was more advanced and sophisticated than anything we had anticipated,” says Asahi president and CEO Atsushi Katsuki in the company’s results briefing. The company refused to pay the ransom demand, with Katsuki noting there would be “no guarantee” of full restoration and that payment could make Asahi a target for future attacks.

The personal data of approximately 1.9 million individuals — including 1.5 million customers — was potentially exposed, according to Asahi’s investigation report, published in November 2025.

A sector under siege

Asahi’s experience is not isolated. The Food and Agriculture Information Sharing and Analysis Center (Food and Ag-ISAC) recorded 265 ransomware attacks on the food and agriculture sector in 2025, according to its “Farm-to-Table Ransomware Realities” report, published in February 2026. Total ransomware incidents across all sectors hit 6,377 — an 82% increase over 2024.

Qilin was the most active ransomware operator targeting the sector in 2025. The Food and Ag-ISAC’s separate threat report, released on March 17, identifies 72 active threat actors targeting the sector, with Russian-linked groups accounting for 59.3% of observed activity and Chinese-linked groups 25.4%.

Industrial cybersecurity firm Dragos, in its quarterly ransomware analyses, ranks F&B as the second most-targeted manufacturing subsector — accounting for 75 incidents and 16% of all manufacturing ransomware in Q1 2025 alone. 

Its 2026 Year in Review finds ransomware groups targeting industrial organizations surged 49% year-on-year, impacting 3,300 organizations globally. The average dwell time before detection in operational technology environments was 42 days.Asahi estimates the September 2025 ransomware attack cost JPY5 billion (US$31.4 million) in lost revenue across its Japanese operations.

Distribution and retail fallout

In the US, food distributor United Natural Foods (UNFI) disclosed in an SEC filing in June 2025 that a cyberattack forced it to take its systems offline, shutting down electronic ordering and invoicing across its network of 52 distribution centers serving approximately 30,000 customers, including Whole Foods. 

UNFI’s executives told investors in July that the attack resulted in up to US$400 million in lost sales. The company operated on manual workarounds for approximately three weeks.

In the UK, Marks & Spencer disclosed in its half-year results that a ransomware attack over Easter 2025 caused £324 million (US$411.5 million) in lost sales and cut pre-tax profits by 55.4% to £184.1 million (US$233.8 million). 

Online food and fashion sales fell 40%, and logistics system failures left food shelves bare for weeks. Chairman Archie Norman told the UK Parliament’s Business and Trade Sub-Committee that the attackers gained access by impersonating an employee and convincing a third-party provider to reset an internal password.

Ingredient supply chains at risk

The data points to specific vulnerabilities for ingredient manufacturers and suppliers. Claroty, a cyber-physical systems security firm, reports in its F&B sector analysis that approximately 90% of cyberattacks on F&B companies originated through third-party supplier access. More than 70% of respondents reported significant financial losses, while 22% reported public safety impacts and 19% reported incidents involving human injury.

The UNFI attack illustrates how a single point of failure in distribution can cascade. Its three-week system outage disrupted deliveries of more than 250,000 products, forcing retailers and foodservice operators to emergency-source from alternative suppliers at less favorable terms. 

For ingredient companies operating just-in-time supply chains — particularly in perishables, dairy cultures, enzymes, and other time-sensitive inputs — a comparable disruption could propagate rapidly through customer operations.

The FBI has identified four major cyberthreat categories facing the food and agriculture sector: ransomware, foreign malware, data and intellectual property theft, and bioterrorism. CISA and the USDA have jointly flagged business email compromise schemes specifically targeting food product and ingredient shipments.

Regulatory pressure building

The EU’s NIS2 Directive, in force since October 2024, now explicitly covers food production, processing and distribution companies, requiring them to implement cybersecurity risk management measures and report significant incidents. Ingredient suppliers operating in or selling into EU markets fall within scope.

Asahi’s phased restoration took months, and the company says it is now shifting to a continuous monitoring model. Dragos’s own incident response data offers a benchmark — organizations with comprehensive operational technology visibility contained ransomware incidents in an average of five days, compared to the 42-day sector average. That gap amounts to the difference between a manageable disruption and a supply chain crisis.