In late September 2025, Asahi Group Holdings experienced a major cyber incident that disrupted order and shipping systems across its nationwide operations in Japan. The investigation later confirmed that Qilin, a Russia-based ransomware group, carried out the attack.
The attackers initially gained access by exploiting vulnerabilities in externally exposed VPN devices. They then moved laterally through the internal network, executing widespread system encryption and large-scale data exfiltration. Asahi subsequently announced that up to 1.92 million personal data records may have been compromised and implemented emergency measures, including suspending internal VPN usage and restructuring its network to prevent recurrence.
Although the impact was limited to Japan, the fact that a global brand like Asahi was targeted drew international attention. This article explores how organizations can learn from the Asahi GHD ransomware incident and proactively mitigate external threats through Attack Surface Management (ASM).
Asahi GHD Ransomware Attack Flow Analysis
Based on publicly available incident analyses and industry reports, the attack flow can be reconstructed as follows:
1. Initial Intrusion: Externally Exposed Network Device Vulnerabilities
The attackers gained their first point of access by exploiting vulnerabilities in network or VPN devices that were reachable from the internet.
In other words, an unpatched, externally exposed service became the entry point of the attack.
2. Credential Abuse and Lateral Movement via VPN
After infiltrating the internal network, either by using stolen VPN credentials or by exploiting vulnerabilities in the VPN device, the attackers escalated privileges and moved laterally across systems.
3. Data Exfiltration → Ransomware Encryption
Once inside, the attackers encrypted data center servers and employee PCs, exfiltrated millions of personal data records, and proceeded with secondary extortion based on the stolen information.
In summary, the attack began at the external attack surface and expanded by combining with internal structural vulnerabilities.
What Is Criminal IP ASM?
Attack Surface Management (ASM) is a security approach that examines an organization’s external assets from an attacker’s perspective and automatically identifies components that could serve as entry points.
In other words, ASM enables real-time detection and proactive management of unknown public-facing assets, configuration errors, and exposed vulnerabilities.
Criminal IP ASM builds on this concept by automatically identifying CVE vulnerabilities, open ports, remote access services, and other elements that constitute an organization’s attack surface.
Through AI-driven analysis, it prioritizes risks and clearly highlights the assets that administrators must address first.
The dashboard automatically discovers and maps all subdomains and IPs associated with an organization’s registered root domain, providing a structured view of all externally exposed assets.
Each asset is then classified into three risk levels: High, Medium, and Low, allowing security teams to visually understand their external attack surface at a glance.
With this dashboard, administrators can centrally manage their entire external attack surface from a single interface and quickly identify and remediate high-risk elements before attackers exploit them.
How Criminal IP ASM Could Have Helped in the Asahi GHD Ransomware Attack
The Asahi case clearly demonstrates how a single vulnerability in an externally exposed asset can lead to a full-scale enterprise compromise.
Because the attackers gained initial access by exploiting a known VPN vulnerability, properly identifying and managing the attack surface in advance could have very likely prevented the intrusion altogether.
When searching for SSL VPN among the High-Risk category in an organization’s ASM dashboard, you can immediately identify assets where SSL VPN services are directly exposed to the internet, as shown in the image above.
This indicates that the device is remotely reachable, allowing attackers to exploit the exposure for vulnerability scanning, authentication bypass attempts, or automated intrusion tools.
Criminal IP ASM automatically correlates these high-risk assets with device model and version information, open ports, and CVE mappings. This eliminates the need for administrators to manually inspect external assets or review individual devices, enabling them to easily understand the entire external attack surface and take proactive action.
When you hover your cursor over an IP address in the search results, you can instantly view detailed information linked to that asset through IP Report and Asset Search integration.
In Criminal IP Asset Search, you can review detailed information about the IP address, including which applications are using the open ports, the versions in use, and in-depth title and banner data.
Risks of Externally Accessible VPN Appliances
Since VPN appliances serve as gateways directly connected to an organization’s internal network, they become a primary target for attackers when exposed to the internet. Key high-risk ports include:
- 443/TCP – SSL VPN portal
- 500/UDP – IPSec IKE
- 4500/UDP – NAT-T
- 1194/UDP – OpenVPN
Additionally, many organizations operate these devices in vulnerable conditions.
- Unpatched FortiGate / Palo Alto / SonicWall appliances
- Use of weak or expired SSL certificates
- Default login portals are directly exposed to the public internet
Such configurations create direct attack vectors that adversaries can exploit for initial access, exactly as seen in the Asahi incident.
Operator Response Strategies
Below are the key security measures organizations should strengthen to prevent incidents similar to the Asahi ransomware attack.
1) Regular External Exposure Audits Using Criminal IP ASM
Since a single VPN vulnerability led to the compromise, organizations must routinely verify which assets are exposed to the internet and ensure they are properly secured.
2) Patch Edge Devices and Enforce Strong Authentication
Keeping external-facing systems, such as VPN appliances and firewalls, fully patched is essential. Even basic measures like enforcing MFA and closing unnecessary ports can greatly reduce the likelihood of initial intrusion.
3) Establish a Structure to Prevent Lateral Movement
Even if an intrusion occurs, the following foundational internal controls are essential to prevent the damage from propagating across the entire environment.
- Network segmentation
- Least-privilege access enforcement
4) Implement Robust Anomaly Detection
To quickly identify attack indicators, such as unusual login attempts or large-scale encryption events, organizations should operate SOC/XDR-based monitoring and detection systems to enhance early-response capability.
5) Maintain Backup and Recovery Procedures
As demonstrated in the Asahi case, backups serve as the final line of defense in large-scale ransomware attacks. Offline backups and regular recovery testing must remain mandatory security practices.
FAQ
Q1. Is there a way to completely prevent ransomware attacks like the Asahi GHD incident?
Completely eliminating the risk of ransomware is unrealistic, but blocking the initial access vector significantly reduces the likelihood of a major breach.
As seen in the Asahi case, a vulnerability in an externally exposed VPN appliance served as the attacker’s entry point. Continuously monitoring external assets with an Attack Surface Management (ASM) platform, such as Criminal IP ASM, is one of the most effective preventive measures.
Q2. Our company doesn’t have many external assets. Do we really need ASM?
The issue is not the number of external assets, but whether they are exposed and contain vulnerabilities. Security incidents affect not only large enterprises but also mid-sized and small companies, and their starting point is often a single unpatched system or an abandoned device. ASM automatically discovers Shadow IT, making it valuable regardless of organizational size.
Q3. What is the difference between Criminal IP ASM and Criminal IP Asset Search?
Criminal IP ASM provides a unified view of an organization’s entire external attack surface. It automatically maps all subdomains and IPs connected to a registered root domain and assesses their risk.
Criminal IP Asset Search, on the other hand, is a detailed analysis tool for individual IP addresses. It shows open ports along with the applications that use them, the versions in place, banner information, and other technical attributes that help assess exposure and vulnerabilities.
Conclusion
The Asahi GHD ransomware attack clearly demonstrates how a single externally exposed vulnerability can escalate into a complete operational shutdown. Because attackers exploited a known VPN flaw for initial access, it is essential to proactively identify and manage the external attack surface.
If these risks had been detected and remediated earlier, the internal spread and large-scale disruption might have been prevented, and drastic actions such as disabling VPN access might not have been necessary. Criminal IP ASM enables organizations to automatically discover external assets and prioritize actions based on actual risk, making proactive defense possible.
In relation to this, you can refer to Why Attack Surface Management (ASM) is Essential for Cybersecurity.
Source: Criminal IP (https://www.criminalip.io), Asahi GHD (https://www.asahigroup-holdings.com/newsroom/detail/20251127-0104.html)
Related Article: https://www.criminalip.io/knowledge-hub/report/26295