15 June 2026 Ransomware

Ransomware Shuts Down Mackay Sugar: When The Gentlemen Came for Australia's Cane Fields

On 10 June 2026, Mackay Sugar — Australia's second-largest raw sugar producer — confirmed a cyber incident had forced two of its three Queensland mills to halt operations. The attack sent cease-harvesting orders to roughly 1,300 cane-growing families across North Queensland and disrupted the cogeneration facility that powers approximately 27,000 households. Five days later, on 15 June, the threat actor responsible — The Gentlemen ransomware group — formally named Mackay Sugar on its dark-web leak site. Negotiations, if any are underway, are not public.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

What Happened at Mackay Sugar

Mackay Sugar operates three cane-processing mills in Queensland — Farleigh, Racecourse, and Marian — and is Australia's second-largest raw sugar manufacturer, producing more than 700,000 tonnes of raw sugar annually. The company also runs a cogeneration facility that supplies roughly one-third of the Mackay region's electricity, the equivalent of approximately 27,000 households.

On 10 June 2026, just days into the annual crushing season, Mackay Sugar issued a public statement confirming it was "responding to a cybersecurity incident" affecting operations at two of its mills. The Farleigh and Racecourse mills were shut down, and growers supplying cane to those facilities were instructed to immediately cease harvesting. Rail transport used to deliver cut cane was also halted, leaving harvested cane in the field and machinery idle across the region. According to reporting by The Record, the knock-on effect reached approximately 1,300 family-owned cane farms.

The company engaged external cybersecurity experts and notified relevant authorities. By 12 June, Mackay Sugar announced that "limited manual crushing" had recommenced at one mill to process cane harvested before the incident — a sign that the attack had impacted IT and possibly operational technology systems to a degree that required a phased, manually controlled restart rather than a return to automated operation. As of 15 June, steam trials and final validation activities were underway in preparation for a staged return to full crushing operations.

On 15 June, the ransomware group known as The Gentlemen formally listed Mackay Sugar on its Tor-based dark-web data leak site, according to SecurityWeek. At the time of writing, no data has been published. In double-extortion ransomware attacks, this is typical: the leak listing is a pressure mechanism, intended to force payment before the group releases stolen files publicly. Whether Mackay Sugar is engaging with the attackers' demands has not been disclosed.

Why a Sugar Mill Attack Matters Beyond the Farm Gate

At first glance, a ransomware attack on a sugar producer might seem like a niche industry problem. It is not. The Mackay Sugar incident illustrates several converging risks that apply to any Australian business operating physical infrastructure alongside networked IT systems.

Food supply chain disruption. Sugar cane is a perishable commodity. Once cut, it must be processed within hours or the sucrose content degrades. Telling 1,300 farming families to stop harvesting mid-season — because the mills that accept their cane can no longer operate — translates directly into lost income and potentially spoiled crop. The 2026 crushing season runs from approximately June to December; an extended outage would have compounded losses dramatically. Mackay Sugar's ability to resume limited manual operations within 48 hours mitigated the worst outcomes, but the disruption was real and measurable.

Energy infrastructure implications. Mackay Sugar's cogeneration facility — which burns bagasse (sugarcane fibre) to produce electricity — supplies approximately one-third of the Mackay region's power grid requirements. Disrupting the sugar mill disrupts a local energy source. This is precisely the type of critical infrastructure interdependency that the Australian Cyber Security Centre (ACSC) has flagged in its guidance on operational technology cybersecurity: a cyber incident against what appears to be an industrial business can cascade into essential services.

The agriculture sector is under-prepared. Reporting by Industrial Cyber notes that the Mackay Sugar attack is consistent with a broader trend of threat actors targeting food and agriculture businesses globally. Unlike financial services or healthcare, the agriculture sector has historically had lower cybersecurity investment and fewer mandated compliance requirements. Many operators are running OT (operational technology) systems — PLCs, SCADA, HMIs — that were designed decades before internet connectivity became standard, and that have since been networked for efficiency without corresponding security uplift.

The timing was deliberate. Targeting the very start of the crushing season maximises pressure. The Gentlemen, like most sophisticated ransomware operators, do not select victims randomly. They research operational schedules, financial cycles, and seasonal pressures before deploying their payload. An agricultural business mid-season — with perishable crop in the field, contracted delivery obligations, and seasonal workers on-site — is under maximum pressure to pay and restore operations quickly.

Inside The Gentlemen: A Self-Spreading Go Ransomware

Microsoft Threat Intelligence tracks The Gentlemen's operators as Storm-2697, a financially motivated group running a ransomware-as-a-service (RaaS) platform. The group surfaced in September 2025 and by mid-June 2026 had listed 483 victims across 66 countries and more than 20 industry sectors. Of those victims, 380 were claimed in 2026 alone — making The Gentlemen the second-most-prolific ransomware brand by published victim count this year, behind only Qilin.

Self-propagating worm capability

The malware is written in Go and obfuscated using Garble to hinder reverse engineering. Its most operationally significant feature is a built-in worm capability: when invoked with the --spread argument, the ransomware automatically attempts to deploy its encryptor to every reachable system on the local network. According to Microsoft's analysis, this self-spreading function uses 21 distinct lateral movement techniques per target host, including PsExec, Windows Management Instrumentation (WMI), scheduled tasks, Windows services, and PowerShell remoting. That breadth of movement means a single uncontained infection can traverse a flat or poorly segmented network at speed, encrypting systems across IT and OT environments simultaneously.

Initial access via Fortinet flaws

The Gentlemen have been observed exploiting Fortinet FortiGate vulnerabilities as their preferred initial access vector. Fortinet products are widely deployed across Australian businesses and government agencies as perimeter firewalls and VPN appliances. A successful FortiGate exploitation grants the attacker authenticated access to the internal network — after which the worm capability handles the rest. The group also uses GPO (Group Policy Object) manipulation and compromises privileged accounts to maximise their foothold before deploying ransomware.

Double extortion

The Gentlemen combine encryption with data theft, exfiltrating sensitive files before locking systems. The dark-web leak site listing is not a technical step — it is a psychological and legal pressure mechanism. It signals to the victim that a ransom refusal will result in public release of stolen data, with accompanying reputational, regulatory, and commercial consequences. For a company like Mackay Sugar, which has obligations under the Australian Privacy Act and the Notifiable Data Breaches scheme, even a threat of data exposure has real compliance weight — particularly if grower contracts, employee records, or financial data were among the exfiltrated material.

What Australian Businesses Should Do Right Now

The Mackay Sugar attack is not an outlier — it is a case study in the type of attack that any Australian business running networked physical infrastructure is now at risk from. The following priorities apply regardless of sector.

Patch Fortinet products immediately

The Gentlemen's demonstrated preference for Fortinet FortiGate as an entry point makes this non-negotiable. If your business uses FortiGate firewalls, FortiClient, or FortiManager, check the Fortinet Product Security Incident Response Team (PSIRT) advisories and apply any outstanding patches before anything else. Unpatched perimeter appliances are the equivalent of a security door left on the latch — the internal security controls become irrelevant once the attacker is already inside.

Segment OT from IT networks

The ACSC's published guidance on OT cybersecurity is explicit on this point: operational technology networks should be logically and, where possible, physically separated from corporate IT networks. A ransomware payload that lands on an email server should not be able to reach a SCADA controller or PLC through open internal routing. If your business controls physical processes — machinery, cooling, generation, water, logistics — that OT environment needs its own segmented network with tight controls on cross-segment traffic.

Apply Essential Eight controls

The ASD's Essential Eight Maturity Model addresses the most common attack paths used in ransomware incidents. Specifically relevant to The Gentlemen's techniques:

Patch applications (Maturity Level 1–2): Apply patches to internet-facing services within 48 hours of release for critical vulnerabilities. Fortinet flaws fall into this category.
Restrict administrative privileges: The Gentlemen actively target privileged accounts for lateral movement. Limiting who has domain administrator access, and where those accounts can log in from, constrains the blast radius of an initial compromise.
Application control: The worm component of The Gentlemen's payload attempts to execute on every reachable host. Application control — allowing only approved executables to run — can stop the encryptor from launching even if it reaches a system.
Configure Microsoft macro settings: PowerShell remoting is one of The Gentlemen's 21 lateral movement techniques. Constraining PowerShell to authorised users and logging all execution reduces your exposure.

Test your backups — offline

Ransomware operators specifically look for and destroy connected backup systems before deploying the encryptor. The only reliable defence is backups that are genuinely offline or air-gapped — not just "off-site" in a cloud storage account that is still accessible from a compromised domain controller. Test restoration quarterly. Know your recovery time objective for each critical system. If you have never practised restoring your OT environment from backup, you do not yet know whether your backup strategy actually works.

Australia's Agricultural and Industrial Sectors in the Crosshairs

The Mackay Sugar incident does not stand alone. It sits within a pattern of ransomware groups deliberately targeting sectors they have historically avoided, as more hardened targets — large financial institutions, healthcare conglomerates — have invested in detection and response capabilities that raise the cost of attack.

Internationally, the precedents are well-established. In 2021, JBS Foods — the world's largest meat processing company — paid an $11 million ransom after a REvil attack shut down operations across multiple countries including Australia. That same year, the US Colonial Pipeline attack demonstrated how a ransomware payload targeting the IT network of an energy pipeline could force the operator to shut down the OT environment out of caution, causing fuel shortages across six US states. The pattern is consistent: attackers are increasingly aware that operational disruption — not just data theft — is their highest-value coercion mechanism against industrial targets.

In Australia specifically, the agriculture sector is classified as critical infrastructure under the Security of Critical Infrastructure Act 2018, which was significantly expanded by the 2021 and 2022 amendment packages. That classification carries obligations: critical infrastructure entities are required to notify the Australian Signals Directorate of significant cyber incidents, maintain risk management programmes, and in some cases allow government assistance during active incidents. Mackay Sugar's public disclosure and engagement with authorities on 10 June 2026 is consistent with those obligations.

The introduction of mandatory ransomware reporting under the Cyber Security Act 2024 adds another dimension. From late 2025, businesses that pay a ransom are required to notify the government within 72 hours of making that payment. The intent is intelligence gathering: understanding which groups are being paid, how much, and in what sectors. For a company in Mackay Sugar's position, that reporting obligation shapes how any negotiation is conducted and creates an additional administrative burden during what is already a crisis response. Our earlier coverage of that law — Australia Ransomware Reporting Law: 72-Hour Compliance Guide — explains the requirements in detail.

For smaller Australian businesses that are not classified critical infrastructure, the Mackay Sugar case still carries a direct lesson. You do not need to be a national icon to be targeted. The Gentlemen's affiliate model means individual operators choose their targets based on opportunity — a visible revenue (Mackay Sugar's size is public knowledge), a predictable operational window (the crushing season), and a networked environment that has grown faster than the security controls around it. That description fits a significant number of Australian regional manufacturers, logistics companies, food processors, and utilities.

The ACSC's guidance on OT cybersecurity, co-developed with CISA, the NSA, and international partners including the UK and Japan, specifically covers the food and agriculture sector. It is freely available at cyber.gov.au. If your business operates any form of industrial control system, reading that document is an afternoon well spent.