Mackay Sugar Ransomware Attack Halts Mills, 1,300 Farms Frozen at Harvest Start

On June 10, 2026, Mackay Sugar, Australia's second-largest sugar producer, suffered a cyberattack that forced the suspension of operations at two of its three mills. The impact cascaded immediately: more than 1,300 family-run farms in Queensland's Mackay region were ordered to halt sugar cane harvesting just as the crushing season — the year's most intensive production period — got underway. The Gentlemen ransomware group claimed responsibility on June 15 via its dark web leak site. The company confirmed external access to its IT environment but has not officially attributed the attack.

"We are working urgently to verify these claims, including the nature and extent of any information that may have been accessed" — Mackay Sugar

Sugar Season Halted on Day One

The attack was precisely timed. June 10 marks the conventional start of the crushing season in northern Queensland, when sugar cane fields reach optimal maturity and logistical pressure peaks. The shutdown of Farleigh and Racecourse created an immediate downstream disruption: without operating mills, cut cane cannot be transported and processed, leading to rapid deterioration of the agricultural product.

Canegrowers Mackay, the organization representing the region's more than 1,300 growers, confirmed the order to cease harvesting. Mackay Sugar generates over AUD 420 million in annual revenue. The geographic concentration of the industry — nearly 80% of national sugar production comes from Queensland — amplifies the cascading effect of a single digital point of failure on the physical supply chain.

The company proceeded with a phased restart. On June 12, the Farleigh mill resumed limited manual operation. By June 15, steam trials were underway; a fully normalized restart remained in the planning stage as of the latest available communications.

Who Is Gentlemen: From Emerging RaaS to Storm-2697

Microsoft tracks the group as Storm-2697. Emerging in late 2025, Gentlemen operates a Ransomware-as-a-Service model offering affiliates 90% of ransom payments. According to Microsoft and KELA, by June 13, 2026, the group had listed 483 victims on its leak site, with 380 added in the current year alone.

Group members have prior operational history with Qilin, LockBit, and other ransomware cartels. An internal leak on Rocket.Chat in May 2026 confirmed an operational core of roughly nine people, with the administrator known as "hastalamuerte" identified as a former Qilin affiliate. The same leak revealed the use of AI-based tools (DeepSeek, Qwen) to assist technical operations.

Gentlemen employs double extortion: system encryption paired with the threat of publishing stolen data. In the Mackay Sugar incident, the group set a ten-day deadline from the claim for the alleged release of materials, expiring on June 26, 2026.

GentleKiller: The Technical Infrastructure Lowering the Barrier to Entry

ESET, which tracks Gentlemen among the most active groups of 2026, published a dedicated analysis of the GentleKiller framework, a suite of EDR-killer tools developed and maintained centrally by the organization. Research by ESET's Jakub Souček documents at least eight variants of the framework, designed to terminate over 400 security processes across 48 distinct products. The group supplies these tools to less capable affiliates, drastically lowering the technical skill required to conduct sophisticated attacks.

The May 2026 internal leak confirmed operator conversations regarding the supply of EDR-killers, validating the model of centralized offensive development. Victim selection, according to ESET, is based primarily on FortiGate firewall configurations, suggesting targeted reconnaissance of perimeter infrastructure.

The group's encryptor, written in Go, uses Curve25519 for key exchange and XChaCha20 for encryption. Microsoft analyses indicate the presence of a "spread" argument enabling worm-like propagation characteristics, although this capability is not confirmed for the Mackay Sugar incident. Typical initial access vectors for the group involve unpatched perimeter devices or purchased credentials.

Immediate Actions

• Verify visibility on perimeter devices: ESET identifies FortiGate configuration as Gentlemen's primary victim selection criterion. Organizations must ensure timely patching and audit exposed configurations on edge firewalls.
• Isolate IT/OT segmentation: The Mackay Sugar incident hit IT systems with operational impact on physical plants. Architectural separation between IT networks and industrial control systems reduces the propagation surface from one domain to the other.
• Harden EDR process resilience: The GentleKiller framework is specifically designed to disable endpoint detection solutions. Testing security agent resistance to termination techniques provides indicators of defensive posture robustness.
• Plan continuity for critical seasonal windows: Operators of agricultural and food infrastructure must treat production peaks as periods of maximum exposure, anticipating digital system degradation scenarios with verified manual procedures and intermediate storage capacity.

Why Agriculture Has Become a Seasonal Target

The angle of the Mackay Sugar attack is temporal, not sectoral. Ransomware groups have learned to read production calendars: striking at the start of harvest multiplies the cost of downtime, making payment statistically more likely. Australian wheat, European sugar beet, US corn follow analogous rhythms. The overlap between digital vulnerability and an irreversible logistical window transforms cyber risk into food security risk.

Gentlemen embodies this evolution with particular clarity. Centralized EDR-killer development, victim proliferation, AI-assisted tooling, and a RaaS structure with a 90% split create a scalable organization that can hit multiple sectors without deep vertical expertise. The worm-like propagation capability, while unconfirmed in this incident, remains a theoretical accelerator of internal contagion.

The Mackay Sugar case is not a technical novelty; it is a demonstration of how operational understanding of agricultural timing has outpaced defensive understanding. How often Australian growers will see their harvests depend on the cybersecurity of a cooperative enterprise will depend on how quickly this gap is closed.

Frequently Asked Questions

Did Mackay Sugar pay the ransom?
No public information exists on this. Australian law mandates reporting of ransom payments to government authorities, but no source in the dossier documents disclosure of such data.

Were industrial (OT) systems directly compromised?
Available sources do not confirm direct access to industrial control systems. Mackay Sugar acknowledged external access to parts of its IT environment; any operational impact would stem from propagation or functional dependency, not from verified OT compromise.

What data was actually stolen?
The nature and volume of data potentially accessed or exfiltrated have not been determined as of publication. Mackay Sugar explicitly stated it is investigating the extent of any information accessed.

Information verified against cited sources and current as of publication.

Sources

• https://therecord.media/mackay-sugar-cyberattack-claimed-gentlemen
• https://www.helpnetsecurity.com/2026/06/18/eset-gentlemen-edr-killers/
• https://www.rescana.com/post/ransomware-attack-on-mackay-sugar-disrupts-australian-mills-cybersecurity-incident-analysis-and-lessons-learned
• https://arnav.au/2026/06/17/mackay-sugar-ransomware-attack-another-cyber-attack/
• https://nvd.nist.gov/vuln/detail/CVE-2025-53770
• https://industrialcyber.co/transport/resecurity-details-anubis-ransomware-attack-on-adriatic-port-authority-exposing-maritime-infrastructure-risks/
• https://www.securityweek.com/ransomware-attack-shuts-down-mills-of-australias-second-largest-sugar-producer/
• https://nvd.nist.gov/vuln
• https://nvd.nist.gov/vuln/search
• https://nvd.nist.gov/vuln/categories
• https://nvd.nist.gov/vuln/data-feeds
• https://nvd.nist.gov/vuln/vendor-comments