Executive Summary
On 10 June 2026, a ransomware attack attributed to the The Gentlemen group disrupted operations at two mills operated by Mackay Sugar, Australia’s second-largest sugar producer. The incident halted sugar milling and cane haulage at the Farleigh and Racecourse mills, impacting over 1,300 family-owned farms and the regional supply chain. The attack occurred at the start of the crushing season, causing a temporary cessation of harvesting and processing activities. Mackay Sugar confirmed the incident publicly and began recovery efforts, including limited manual operations and staged system restoration. On 16 June 2026, The Gentlemen ransomware group claimed responsibility, threatening to release stolen data within ten days. As of the latest updates, the specific data compromised remains unknown, and the full extent of the damage has not been disclosed. The incident highlights the vulnerability of critical infrastructure in the agricultural sector to ransomware attacks and underscores the potential for cascading effects on food production and regional economies. Mackay Sugar is working with authorities and stakeholders to restore operations and mitigate the impact.
Technical Information
The attack on Mackay Sugar was executed by the The Gentlemen ransomware group, which is known for advanced, multi-stage campaigns targeting enterprise environments and critical infrastructure. The group’s tactics, techniques, and procedures (TTPs) align with the MITRE ATT&CK framework and demonstrate a high level of sophistication.
Initial Access: The attackers likely gained entry by exploiting internet-facing services or using compromised credentials. While the specific vector in this incident has not been publicly confirmed, The Gentlemen group is documented to favor exposed services such as VPNs and firewalls, as well as credential-based attacks. This aligns with their historical use of compromised domain accounts and exploitation of public-facing applications (Trend Micro, Cyber Daily).
Discovery and Reconnaissance: Once inside the network, the attackers conducted extensive reconnaissance using tools such as Advanced IP Scanner and Nmap to map the environment. They performed Active Directory enumeration with batch scripts and PowerShell, targeting privileged accounts and domain groups to identify high-value assets and escalation paths.
Privilege Escalation and Lateral Movement: Privilege escalation was achieved using tools like PowerRun.exe, while lateral movement was facilitated by PsExec and PuTTY. Registry modifications were made to weaken authentication controls and enable Remote Desktop Protocol (RDP) access. These actions allowed the attackers to move laterally across the network and gain access to critical systems.
Persistence and Defense Evasion: Persistence was maintained through the deployment of AnyDesk remote access software and registry changes. Defense evasion techniques included the use of custom tools such as All.exe and ThrottleBlood.sys for kernel-level manipulation, and Allpatch2.exe for targeted termination of security software. The attackers disabled security agents, modified firewall rules, and neutralized Windows Defender to avoid detection and hinder response efforts.
Collection and Exfiltration: Data was staged in local directories and accessed via WebDAV connections. Exfiltration was performed using WinSCP, leveraging encrypted channels to transfer data outside the network. The attackers utilized living-off-the-land techniques to blend in with legitimate activity and evade monitoring.
Impact: The ransomware payload was deployed via the NETLOGON share, encrypting files and terminating backup, database, and security services. The attack employed double extortion tactics, threatening to release stolen data if ransom demands were not met. The operational impact included the shutdown of two major mills, disruption of cane haulage, and a temporary halt to harvesting and processing activities.
Indicators of Compromise (IOCs): Known IOCs associated with The Gentlemen ransomware include the following SHA1 hashes: c12c4d58541cc4f75ae19b65295a52c559570054 (Ransom.Win64.GENTLEMAN.THHAIBE), c0979ec20b87084317d1bfa50405f7149c3b5c5f (Trojan.Win64.KILLAV.THHBHBE), df249727c12741ca176d5f1ccba3ce188a546d28 (Trojan.Win64.KILLAV.THHBHBE), e00293ce0eb534874efd615ae590cf6aa3858ba4 (HackTool.Win32.PowerRun.THHBHBE) (Trend Micro).
Attribution: Attribution to The Gentlemen ransomware group is assessed with high confidence based on technical artifacts, public claims, and alignment with the group’s known TTPs. The group’s dark web leak site listed Mackay Sugar as a victim, and the attack chain matches previous campaigns documented by security researchers.
Sector-Specific Implications: The attack demonstrates the vulnerability of the agricultural and food supply sectors to ransomware, with significant operational and economic consequences. The disruption affected over 1,300 family-owned farms, the regional power supply (via Mackay Sugar’s cogeneration plant), and the broader supply chain. The incident underscores the need for enhanced cybersecurity measures in critical infrastructure sectors.
Affected Versions & Timeline
The incident affected operational technology (OT) and information technology (IT) systems at the Farleigh and Racecourse mills operated by Mackay Sugar. The specific software or firmware versions exploited have not been disclosed. The following timeline summarizes key events:
Early morning, 10 June 2026: Mackay Sugar issues "cease harvesting" advice to growers after detecting a cyber security incident. 10 June 2026: Public disclosure of the incident, confirming impact to two mills. 15 June 2026: Mackay Sugar reports partial restoration of systems and limited manual operations at Farleigh Mill. 16 June 2026: The Gentlemen ransomware group claims responsibility and threatens to release stolen data within ten days.
As of the latest updates, some systems have been restored, but full operational capacity has not yet been achieved. The specific data compromised and the extent of the damage remain unknown (ABC News, Cyber Daily).
Threat Activity
The Gentlemen ransomware group has been active since mid-2025, targeting enterprise environments and critical infrastructure across the Asia-Pacific region and beyond. The group is characterized by its use of advanced, tailored attack chains, custom tools for defense evasion and privilege escalation, and double extortion tactics involving both data encryption and theft.
In the Mackay Sugar incident, the group’s activity included:
Gaining initial access via likely exploitation of internet-facing services or compromised credentials. Conducting network reconnaissance and privilege escalation to identify and access critical systems. Deploying custom tools (All.exe, ThrottleBlood.sys, Allpatch2.exe) to disable security software and maintain persistence. Exfiltrating data using encrypted channels and staging files for potential public release. Encrypting operational data and terminating essential services to maximize disruption. Threatening to release stolen data to pressure the victim into ransom payment.
The group’s targeting of the agricultural sector and critical infrastructure is consistent with broader ransomware trends seeking maximum leverage and ransom payment likelihood. The attack on Mackay Sugar demonstrates the potential for significant operational and economic impact in the food supply chain.
Mitigation & Workarounds
Mitigation and recovery efforts should be prioritized as follows:
Critical: Immediately isolate affected systems from the network to prevent further lateral movement and data exfiltration. Engage incident response teams and law enforcement authorities to coordinate containment and investigation. High: Conduct a comprehensive review of all internet-facing services, including VPNs, firewalls, and remote access solutions. Apply security patches, enforce strong authentication (including multi-factor authentication), and disable unnecessary services. High: Reset credentials for all privileged accounts and review access logs for signs of compromise. Implement network segmentation to limit the spread of ransomware and restrict access to critical systems. Medium: Enhance monitoring and detection capabilities, including deployment of endpoint detection and response (EDR) solutions and regular review of security alerts. Medium: Review and update backup strategies to ensure offline, immutable backups are available and regularly tested for restoration. Low: Provide cybersecurity awareness training to staff, emphasizing phishing prevention, credential hygiene, and incident reporting procedures.
In the context of the Mackay Sugar incident, fallback measures for operational continuity (such as manual operations and staged system restoration) were effective in mitigating immediate disruption. However, long-term resilience requires a comprehensive approach to cybersecurity, including regular risk assessments, supply chain security reviews, and incident response planning.
References
https://www.abc.net.au/news/2026-06-10/cyber-attack-shuts-down-north-queensland-sugar-mills/106780304 https://www.cyberdaily.au/security/13758-exclusive-mackay-sugar-cyber-attack-claimed-by-the-gentlemen-ransomware https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
About Rescana
Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor cyber risks across their supply chain and vendor ecosystem. Our platform enables continuous risk assessment, automated threat intelligence integration, and actionable reporting to support incident response and resilience planning. For questions or further information, please contact us at ops@rescana.com.
