On June 10, 2026, Mackay Sugar, which is Australia’s second-largest raw sugar producer, became the victim of a disruptive ransomware attack. This happened during the critical initial weeks of the annual sugarcane crushing season. The incident forced the immediate suspension of cane haulage and milling operations across two of its primary industrial facilities in North Queensland (the Farleigh and Racecourse mills). The disruption created ripples that spread rapidly across the regional agricultural supply chain, forcing local growers to pause harvesting activities completely due to the total loss of logistics, scheduling, and intake coordinating systems.

The Gentlemen, a highly aggressive, rapidly expanding Ransomware-as-a-Service (RaaS) platform has claimed responsibility for the incident. First spotted in mid-2025 and rising to become the second most active ransomware gang by victim count in early 2026, the group distinguishes itself through an unheard of and aggressive 90/10 financial revenue split for affiliates. It is also known for the utilization of an advanced, self-propagating Go-based encryptor featuring worm-like lateral movement capabilities.

The response from Mackay Sugar was swift. It initiated manual workarounds—recommencing limited, controlled manual crushing at Farleigh Mill by June 12 exclusively to process pre-harvested cane. However, the full remediation of the core IT-OT orchestration systems is still ongoing as I write this article.

There are many takeaways from this incident. It serves as a textbook example of indirect Operational Technology (OT) disruption. It also highlights how modern agri-industrial sectors remain structurally vulnerable to cyber-physical downtime. Even if a threat actor's malware does not compromise Level 1/2 Distributed Control Systems (DCS) or Programmable Logic Controllers (PLCs) directly, the encryption of Level 3/3.5 Manufacturing Execution Systems (MES), logistics scheduling, and enterprise resources can cleanly paralyze physical production.

Other episodes involving the Gentlemen group can be read here and here.

Timeline of events

The chronology of the incident spans a tight operational window during the peak seasonal surge:

• June 3 – June 9, 2026 (Possible infiltration window): Analyst Assessment: Based on standard TTPs of the Gentlemen group, the threat actor likely established initial persistence utilizing edge network vulnerabilities or compromised corporate credentials several days prior to executing the payload, conducting internal reconnaissance and data exfiltration.

• June 10, 2026 (Day break): Mackay Sugar discovers a severe cybersecurity incident affecting its operations. Safety protocols are immediately initiated. Core enterprise systems, cane supply coordination, and logistics platforms are either disabled or encrypted.

• June 10, 2026 (Morning): Industrial operations at Farleigh and Racecourse mills are suspended. Mechanical milling and rail-based cane haulage grind to a halt. A third regional facility, Marian Mill, escapes immediate disruption as it was not scheduled to commence seasonal operations until the following week.

• June 10, 2026 (Mid-Day): Canegrowers Mackay, representing regional agricultural producers, issues an emergency directive to all local sugarcane farmers to cease harvesting operations immediately. Cut cane is highly perishable and harvesting without the backing of industrial processing facilities represents total crop loss.

• June 12, 2026: Mackay Sugar announces the activation of manual operations. A highly restricted, "limited manual crushing operation" is activated at Farleigh Mill to clear cane harvested prior to the disruption. The company explicitly states that key cane supply and logistics systems remain offline, and that no new cane is being accepted.

• June 15, 2026: Mackay Sugar issues an operational update indicating significant over-the-weekend progress in restoring core IT/OT scheduling infrastructure. Steam trials are used to validate systems. Concurrently, The Gentlemen ransomware group lists Mackay Sugar on its Tor-based leak site, initiating a countdown timer for public data exposure.

Threat actor profile: The Gentlemen (AKA Storm-2697)

Background

The Gentlemen ransomware operation was first documented by global threat intelligence units in mid-2025. Initially operating as a closed, private cybercrime cell, the group transitioned to a formalized Ransomware-as-a-Service (RaaS) business model around September 2025.

In order to beat competition and capture market share from entrenched legacy RaaS operations, the group’s primary administrator Zeta88 and Hastalamuerte instituted an unprecedented 90/10 revenue split (retaining only 10 percent of the ransom fee as a commission from affiliates, compared to the standard 80/20 or 70/30 industry standard).

An aggressive recruitment strategy followed which attracted highly sophisticated initial access brokers (IABs), network penetration testers, and seasoned human-operated ransomware teams. Nearly 23 affiliates joined the affiliate ring in one week in November 2025 indicating the success of its recruitment drive.  

Known tooling and technical differentiation

The technical hallmark of The Gentlemen is its specialized encryptor payload.

• Language and obfuscation: The ransomware is compiled in Go (Golang), providing cross-platform flexibility, and heavily obfuscated using Garble to break string detection patterns and hinder static reverse engineering.

• Cryptographic architecture: The encryptor uses a high-performance double-key structure, combining ephemeral Curve25519 (Elliptic Curve Cryptography) keys per file with the XChaCha20 stream cipher. This ensures rapid encryption execution across high-capacity storage arrays. This reduces the window of opportunity for detection and response teams to intervene before total data lock.

• Worm-like propagation: Unlike typical ransomware strains that require manual administrative deployment scripts (such as custom PsExec or Group Policy Object pushing) across internal networks, The Gentlemen encryptor has integrated, parallel self-propagation capabilities that adapt to varying network environments. Upon execution, it independently launches automated lateral movement sub-routines across adjacent subnets, allowing it to autonomously compromise entire active directories within a matter of hours.

Mackay Sugar: Incident report

To maintain integrity, this analysis strictly bifurcates verified institutional declarations from informed threat intelligence interpretations.

Confirmed facts

• Operational stoppage: Mackay Sugar verified that a cybersecurity incident compromised operational continuity on June 10, 2026. Haulage and milling ceased immediately at Farleigh and Racecourse mills.

• Supply chain impact: Agricultural input stopped. Canegrowers Mackay confirmed harvesting was halted across multiple districts.

• Extortion Status: On June 15, 2026, The Gentlemen ransomware group added Mackay Sugar to their Tor leak site registry. No public evidence currently confirms whether corporate data has been fully exfiltrated or leaked online, and Mackay Sugar has not publicly confirmed a data breach or extortion negotiation.

• Recovery vectors: Industrial operations partially restarted via "manual processes" on June 12 to run specific steam trials and clear pre-existing inventory. Full automated logistics systems is still under restoration.

Analyst assessment

• The IT/OT nexus deficit: There is no explicit indication that the attackers achieved Layer 1 or Layer 2 control network access (such as compromising SCADA servers or safety programmable controllers). Instead, our analytical assessment indicates that the operational shutdown was caused by the dependency of physical operations on Layer 3/3.5 industrial IT infrastructure.

• Logistics as an operational kill-switch: Modern raw sugar production requires precise, continuous just-in-time logistics. Sugarcane must be crushed within 24 to 48 hours of being cut to prevent sucrose degradation. The systems managing the automated narrow-gauge cane railway networks, haulage schedules, and mill-intake weighbridges are inherently connected to the enterprise IT domain. By crippling these scheduling databases, the threat actors effectively caused a physical mill shutdown without needing to touch a single physical valve or variable-speed drive.

Possible attack path

Based on the documented historical behavior of Storm-2697 and typical structural topologies found across regional agri-industrial networks, Shieldworkz has reconstructed the following highly probable, hypothetical attack chain. This remains an analytical model rather than a legally confirmed forensic sequence for the Mackay Sugar incident.

1. Initial access: The threat actor exploits a known vulnerability in an edge-facing VPN appliance or gains entry via compromised third-party vendor credentials lacking Multi-Factor Authentication (MFA).

2. Credential theft and privilege escalation: Once inside the corporate network, the actor runs automated credential harvesting utilities (e.g., dumping LSASS memory) to compromise internal administrative credentials, rapidly escalating to Domain Administrator status.

3. Discovery and data exfiltration: The actor maps internal file shares, prioritizing Level 3 Manufacturing Execution Systems (MES), enterprise resources, and logistics databases. Critical directories are compressed and exfiltrated via encrypted channels (e.g., Rclone over HTTPS) to cloud storage providers.

4. Payload execution: The primary operator runs The Gentlemen encryptor. The binary immediately invokes commands to strip local system defenses, erasing shadow copies (vssadmin delete shadows) and stopping security agents.

5. Autonomous propagation: Utilizing the --shares parameter, the Go-based worm sub-routine queries Active Directory and SMB shares. It pushes the executable into adjacent network zones, crossing unsegmented or poorly firewalled IT/OT boundaries into the industrial demilitarized zone (IDMZ) and Level 3 production networks.

6. Physical halt: Automated systems coordinating cane receiving, industrial boiler monitoring dashboards, and telemetry databases are encrypted concurrently, forcing operators to execute an emergency manual shutdown of the mills to preserve equipment safety.

Root Cause Analysis: The vulnerability of agri-industrial infrastructure

Agri-industrial and food-processing environments suffer from a distinct set of generational engineering and architectural traits that make them highly appealing targets for modern RaaS groups:

• The just-in-time vulnerability matrix: Threat actors understand that agricultural processing centers operate on rigid, seasonal timelines (such as the sugar crushing season). Downtime during these precise weeks causes exponential financial losses. This amplifies the extortion leverage, increasing the likelihood of rapid ransom payments.

• The "Flat Network" legacy reality: Historically, many agricultural and processing operations grew organically. Corporate IT environments frequently share active communication pathways with industrial computing networks without strict firewall inspection. If a corporate workstation falls to ransomware, there are few structural boundaries to stop a self-propagating worm from jumping into Level 3 industrial networks.

• Insufficient identity isolation: A common structural point of failure is the use of unified Active Directory (AD) architectures. If the same AD forest manages both corporate emails and industrial human-machine interfaces (HMIs), a total compromise of the corporate domain translates immediately to a total compromise of the production facility's identity framework.

• Lack of deep OT visibility: Many industrial environments still have limited visibility into east-west traffic and lateral movement compared with mature enterprise IT environments. Network-level anomalies, unauthorized SMB scanning, and lateral movement go entirely unnoticed until the ransomware payload begins locking systems.

Why this incident matters to industrial organizations

The Mackay Sugar incident is not an isolated agricultural anomaly. Instead, it represents a systemic trend where criminal operations treat operational downtime as a monetization lever.

• Food and beverage sector: This sector has historically prioritized physical safety and high throughput over digital segmentation. Because profit margins depend on continuous production, a multi-day shutdown can destroy an entire season’s profitability and disrupt downstream consumer supply chains.

• Water and utilities: The logic driving the Mackay Sugar attack maps directly onto regional water treatment and power generation utilities. If remote telemetry links, billing databases, or operational scheduling portals are compromised, the physical utility may be forced to halt distribution due to a lack of situational awareness and regulatory compliance validation.

• Critical infrastructure interdependencies: Modern industrial ecosystems are deeply intertwined. A halt in raw sugar processing impacts food manufacturing, transport logistics, regional rail operations, and export shipping schedules, demonstrating how a single localized cyber event can trigger cascading regional economic disruptions.

MITRE ATT&CK mapping

Mitigating the Attack Path (IEC 62443 / NIST Control Mapping)

To break this specific chain of techniques, defensive engineering teams should prioritize the following structural control alignments:

• To Disrupt Initial Access (T1190, T1133): Enforce strict Zero Trust Network Access (ZTNA)endpoints backed by phishing-resistant Multi-Factor Authentication (FIDO2) for all external remote services.

• To Disrupt Lateral Movement (T1021.002): Implement hard network segmentation between the corporate IT domain and Level 3/3.5 Industrial Operational zones in strict compliance with the ISA/IEC 62443-3-2 Zones and Conduits framework. Isolate Active Directory forests completely.

• To Disrupt Impact (T1486, T1490): Establish immutable, air-gapped backups stored in an offline architecture completely detached from both the IT enterprise domain and operational subnets.

  
  

OT security lessons learned and actionable recommendations

To mitigate the risk of self-propagating RaaS threats like The Gentlemen, industrial operators must execute a defensive strategy tailored explicitly for cyber-physical safety.

Architectural Segmentation & Perimeter Hardening

• Enforce a True Industrial DMZ (IDMZ): Implement a strict structural separation between the corporate IT network and the OT production network in alignment with the Purdue Model. No direct corporate-to-OT communications should exist. All data exchanges (e.g., data historians, MES updates) must terminate within a heavily restricted IDMZ.

• Eliminate Persistent VPN Access: Transition all internal and third-party remote connections from traditional, persistent VPN architectures to a Zero Trust Network Access (ZTNA) model. Remote access must be session-scoped, explicitly authenticated via phishing-resistant Multi-Factor Authentication (MFA), and restricted to specific engineering endpoints.

Identity isolation and credential hygiene

• Establish disjointed active directory architecture: Corporate Active Directory structures must be entirely separated from industrial control system domains. Trust relationships between IT and OT AD forests should be completely eliminated to prevent a corporate domain compromise from acting as a master key to the factory floor.

• Engineering workstation hardening: Isolate Level 2/3 engineering workstations from general internet access. Block SMB communications between workstations within the same local subnet to neutralize the worm-like lateral movement mechanics utilized by groups like Storm-2697.

Continuous monitoring and network visibility

• Deploy OT-Specific Network Detection and Response (NDR): Traditional IT EDR solutions cannot be installed on legacy PLCs or specialized industrial platforms. Operators must deploy passive, non-intrusive OT monitoring tools capable of inspecting industrial protocols (e.g., Modbus, EtherNet/IP, Profinet) to detect anomalous asset discovery, lateral movement, or unauthorized configuration changes.

• Log consolidation and analysis: Ensure that log sources from IDMZ firewalls, industrial switches, and safety gateways are securely aggregated into an isolated, read-only repository, allowing incident response teams to perform rapid forensic triage without risk of log deletion by the threat actor.

Resilient backup and recovery workflows

• Implement immutable, offline (Air-Gapped) backups: The Gentlemen encryptor explicitly targets and deletes local Windows shadow copies and accessible network shares. Industrial organizations must maintain a strict 3-2-1-1 backup strategy: 3 copies of data, across 2 different media types, with 1 copy stored offsite, and 1 copy maintained completely offline or in an unalterable immutable cloud repository.

• Conduct regular "Cold-Start" testing: Regularly practice restoring plant operations purely from offline backups onto bare-metal hardware. Validate the exact operational recovery sequence, ensuring that engineering teams can manually run critical infrastructure segments if IT systems remain dark.

Mapping defensive recommendations to global security frameworks

To assist security leadership in building a compliance-backed business case for these security investments, the defensive recommendations outlined above map directly to established global cybersecurity standards:

Key takeaways for CISOs and board members

The Mackay Sugar incident demonstrates that cyber defense is no longer an abstract IT concern. Instead, it is a fundamental pillar of corporate operational resilience and fiduciary governance.

Strategic risks  

• The myth of "we aren't a target": RaaS operations like The Gentlemen are highly opportunistic and volumetrically driven. They do not look for specific industries; they scan the internet for exploitable vulnerabilities. Any organization running vulnerable, internet-facing assets is a potential target.

• Financial impact beyond the ransom: The primary financial damage of an industrial cyber incident stems from production downtime, supply chain penalties, contractual breaches, and reputational erosion—not the ransom demand itself.

Questions boards should ask their executive leadership

1. “If our corporate email network is completely compromised and encrypted tomorrow morning, can our manufacturing plants and logistics networks continue to run safely in isolation?”

2. “Do we have a fully documented, tested, and validated manual operational workaround process that allows us to sustain production without relying on our core IT infrastructure?”

3. “Are our industrial backups stored in an immutable or truly air-gapped environment that is structurally out of reach of a self-propagating ransomware worm?”

Immediate action items for security leaders

• Audit external exposure: Immediately scan and audit all internet-facing assets, firewalls, and remote access pathways, ensuring comprehensive patching against known exploited vulnerabilities.

• Validate identity isolation: Perform an immediate review of Active Directory structures, verifying that administrative credentials are bifurcated and that MFA is strictly enforced across all operational touchpoints.

• Engage in joint incident exercises: Conduct tabletop simulation exercises that bring together IT security, OT engineering, plant managers, and executive leadership to run through a simulated total enterprise encryption event.

References

• ABC News Australia: “The Gentlemen ransomware group claims cyberattack on North Queensland sugar producer Mackay Sugar.” (Published June 18, 2026).

• SecurityWeek: “Ransomware Attack Shuts Down Mills of Australia's Second-Largest Sugar Producer.”(Published June 15, 2026).

• Cyber Daily: “Exclusive: Mackay Sugar cyber attack claimed by The Gentlemen ransomware.”(Published June 16, 2026).

• Microsoft Threat Intelligence Blog: “The Gentlemen ransomware: Dissecting a self-propagating Go encryptor (Storm-2697 TTP Analysis).” (Published May 28, 2026).

• Industrial Cyber Feature: “State-backed and RaaS ransomware activity raises new concerns over escalating threats to OT, critical infrastructure operations.” (Published June 16, 2026).

• The Record Media: “Cyberattack shuts down major Australian sugar mills, disrupting harvest.”(Published June 11, 2026).

Recommended reading

1. How to Respond to a Ransomware Attack in OT Environments
   https://shieldworkz.com/regulatory-playbooks/how-to-respond-to-a-ransomware-attack-in-ot-environments

2. ICS Ransomware Defense Playbook: OT & ICS Cybersecurity Guide 2025
   https://shieldworkz.com/regulatory-playbooks/ics-ransomware-defense-playbook-ot-ics-cybersecurity-guide-2025

3. How Ransomware Attacks Disrupt Industrial Systems
   https://shieldworkz.com/blogs/how-ransomware-attacks-disrupt-industrial-systems

4. OT Incident Response Checklist
   https://shieldworkz.com/regulatory-playbooks/operational-technology-ot-incident-response-checklist

5. OT Cybersecurity Baseline Assessment Checklist
   https://shieldworkz.com/regulatory-playbooks/ot-cybersecurity-baseline-assessment-checklist