The Gentlemen ransomware group has claimed responsibility for an attack on Mackay Sugar Limited, one of Australia’s largest sugar producers with approximately 900 grower-member shareholders and two primary mills in Queensland’s Mackay region. The attack, which began in the early hours of 14 June 2026, disrupted operational technology systems controlling cane crushing and processing operations, forcing the suspension of mill activities at a critical point in the 2026 harvest season.
The Gentlemen — whose SystemBC command-and-control infrastructure was partially disrupted by a joint law enforcement operation in April 2026 — have since rebuilt their operational infrastructure and have claimed eight named victim organisations in June 2026, suggesting the group has accelerated its activity following the attempted disruption.
Attack Impact and OT Disruption
Mackay Sugar’s two operational mills — the Pleystowe Mill and the Racecourse Mill — process sugarcane from approximately 170,000 hectares of farmland in the Mackay region. The June–November crushing season represents the entirety of the year’s sugar production; halting operations during this period creates losses that cannot be recovered through extended operations, as the harvested cane degrades in quality within hours.
The attack affected control systems for:
- Mill scheduling and cane intake management — coordination of incoming cane haul-outs from grower farms, which continues on a fixed schedule tied to harvest dates
- Juice extraction and evaporation controls — process control systems governing temperature, pressure, and flow parameters in the multi-stage sugar extraction process
- Centrifuge and crystallisation systems — automated process controls for final sugar crystal separation
The disruption to harvest-season OT systems is particularly consequential because cane already cut and transported cannot be held — it must be processed within approximately 12 hours of harvest to maintain sucrose quality. Mackay Sugar’s growers faced immediate decisions about whether to halt harvesting operations, with each day of delay during peak harvest carrying direct financial losses.
The Gentlemen’s Escalating OT Targeting
The April 2026 law enforcement action against The Gentlemen’s SystemBC C2 infrastructure disrupted the group’s operations temporarily, but analysis of their June activity suggests they have rebuilt with modified infrastructure and shifted their targeting criteria toward organisations with OT dependencies — a pattern that maximises pressure on victims to pay ransom given the time-sensitivity of operational disruption.
The Gentlemen’s methodology, as documented by Check Point Research and Coveware, involves extended dwell times of 30–60 days during which the group maps IT/OT network boundaries and identifies OT system credentials before triggering encryption. This preparation means the group typically understands a target’s OT dependencies before launching the attack — the precision of the Mackay Sugar disruption, hitting process control systems rather than general IT infrastructure, is consistent with advance reconnaissance.
The attack represents the fifth ransomware incident against food and beverage manufacturing in Australia in 2026, following incidents at three dairy cooperatives and a frozen food distributor. ACSC has issued an advisory citing The Gentlemen as the most active ransomware group targeting Australian food and agricultural processors.
OT Resilience Considerations
The Mackay Sugar incident illustrates the outsized impact ransomware has on OT-dependent operations compared to purely IT-focused organisations. Several architectural realities make OT ransomware particularly difficult to recover from quickly:
Recovery time is measured in days to weeks, not hours. Process control systems require specialised technicians and validated system images for recovery; the equivalent of an IT server restore may require vendor engineer involvement and physical media, not a backup restoration from cloud storage.
Operational windows do not accommodate extended downtime. A harvest-season food processor, a hospital, or an energy utility cannot take mills or critical systems offline for two weeks to complete a full forensic investigation and rebuild — the operational pressure to recover creates negotiation pressure that IT-focused organisations face to a lesser degree.
IT/OT convergence creates lateral movement risk. Organisations that have integrated OT process data into enterprise IT systems for production analytics and ERP integration have created pathways that attackers can traverse from the IT network to the OT environment.
Recommended Actions
- Implement network segmentation between IT and OT environments — if not already in place, OT systems should reside on isolated network segments with controlled, audited crossing points; a firewall policy that defaults to denying IT→OT traffic protects OT systems from IT-originated ransomware propagation
- Maintain offline backups of OT system configurations and validated images — process control system recovery is substantially faster when validated configuration backups are available offline; test restoration procedures annually
- Assess your operational windows and develop ransom response playbooks that account for the actual cost of extended operational downtime — organisations that can credibly model the cost of a two-week shutdown make better-informed incident response decisions under pressure
- Review The Gentlemen’s known IOCs published by ACSC and Check Point — network indicators, C2 domains, and SystemBC behaviour signatures enable detection during the dwell period before encryption is triggered
- Contact ACSC (1300 CYBER1) if you operate in Australian food, agriculture, or critical infrastructure sectors and suspect intrusion activity — ACSC maintains active threat intelligence on The Gentlemen group and can support forensic triage
Share this article