Cyber Incident Victim: Asahi Group Holdings

On or around October 30, 2022, the BlackByte ransomware group claimed responsibility for a cyberattack targeting Asahi Group Holdings, Ltd., a precision metal manufacturing and metal solution provider with over 40 years of operations. The attackers asserted they exfiltrated gigabytes of sensitive documents, including financial records and sales reports. BlackByte demanded separate payments from Asahi: $500,000 to purchase the stolen data and $600,000 to delete it. This incident occurred amid BlackByte’s broader operational shift toward more sophisticated extortion tactics, as evidenced by their August 2022 ransomware version 2.0 update, which introduced tiered ransom options resembling LockBit’s model. The group had previously allowed victims to pay $5,000 for a 24-hour leak delay, $200,000 to download their data, or $300,000 for data destruction—though pricing reportedly varied based on target value.

BlackByte’s attack on Asahi aligned with their documented history of targeting critical infrastructure entities, following the FBI’s February 2022 disclosure of breaches against three U.S. critical infrastructure organizations. The group, active since September 2021, had previously suffered operational setbacks when Trustwave’s SpiderLabs released a free decryptor for early ransomware variants in October 2021 after identifying cryptographic flaws. BlackByte subsequently patched these vulnerabilities, eliminating the decryption option for newer attacks. The Asahi intrusion also coincided with Sophos researchers’ early October 2022 warnings about BlackByte employing bring-your-own-vulnerable-driver (BYOVD) techniques to disable security software during attacks. No information regarding Asahi’s containment measures, data recovery status, or ransom payment decisions was disclosed in available sources.