Mackay Sugar, Australia's second-largest raw sugar producer, has been hit by a ransomware attack that forced the shutdown of mills in Queensland and halted core processing operations. The company first disclosed the incident on June 10, and by June 15 the attack had been claimed by the Gentlemen ransomware group, tracked by Microsoft as Storm-2697. Mackay Sugar operates three cane-processing mills and the attack disrupted operations at two of them, stalling cane supply, harvesting, and logistics during active crushing season.
What Happened
The incident came to light on June 10, when Mackay Sugar announced it was responding to a cybersecurity event affecting some of its operations and that "interim processes are in place to support critical business functions and minimise disruption where possible."
The attack impacted two of the company's three mills. On June 12, Mackay Sugar said it had "recommenced a limited manual crushing operation" at one mill to process cane harvested before the incident, while warning that "key cane supply and logistics systems remain subject to ongoing restoration" and that no additional cane was being accepted.
In its June 15 update, the company reported "significant progress" restoring systems supporting cane supply, harvesting, and mill operations. Steam trials were underway, with a staged restart of crushing operations expected later that week. Notably, Mackay Sugar advised growers and harvesters not to recommence harvesting until further notice, an indication of how deeply the disruption reached into the surrounding supply chain.
The Gentlemen ransomware group named Mackay Sugar on its Tor-based leak site on June 15 but had not yet posted any stolen data.
What Was Taken
Mackay Sugar's public updates do not address potential data compromise, and the scope of any exfiltration remains unconfirmed. However, the Gentlemen group operates a double-extortion model: it encrypts files on compromised systems and exfiltrates data to pressure victims into paying.
The listing of Mackay Sugar on the group's leak site, even without a data dump, is consistent with that playbook and typically signals that the attackers claim to hold stolen data they intend to release if a ransom is not paid. As of reporting, no records had been leaked, so the volume and sensitivity of any compromised data are not yet established.
Why It Matters
This is an operational-impact ransomware event against critical food and agricultural infrastructure, not merely a data breach. The shutdown struck during active crushing season, when downtime translates directly into lost cane, idle growers, and stalled regional logistics.
For defenders, the case underscores how IT-focused ransomware can cascade into operational paralysis even where industrial control systems are not directly touched. It remains unclear whether the attackers reached ICS or OT environments, or whether mill operations were halted as a precaution after IT systems were compromised. Either way, the result was the same: a major national producer forced offline, with downstream harvesters told to stand down.
The Gentlemen group's leak site lists more than 500 alleged victims, marking it as a high-volume operator that defenders across the agriculture, manufacturing, and critical infrastructure sectors should treat as an active threat.
The Attack Technique
The Gentlemen group, tracked by Microsoft as Storm-2697, has been active since mid-2025. The crew uses custom malware to encrypt files on compromised hosts and exfiltrate data for extortion leverage.
Researchers have specifically flagged the group's malware for its worm-like lateral movement capabilities, allowing it to spread automatically across a compromised network. That self-propagating behavior is significant in environments like Mackay Sugar's, where flat or loosely segmented networks bridging corporate IT and plant operations can let an infection move rapidly from an initial foothold to systems supporting physical processing. The initial access vector in this specific incident has not been publicly disclosed.
What Organizations Should Do
- Segment IT and OT networks aggressively, enforcing strict boundaries and monitored chokepoints so that a corporate compromise cannot propagate to mill, plant, or production systems.
- Counter worm-like lateral movement by disabling unnecessary administrative shares and protocols, enforcing least-privilege access, and deploying EDR tuned to detect rapid internal spread and credential reuse.
- Maintain offline, immutable, and regularly tested backups for both IT and operational systems to enable recovery without paying a ransom.
- Hunt for Storm-2697 indicators and behaviors, prioritizing detection of unusual lateral movement, mass file access, and data staging consistent with exfiltration.
- Prepare and rehearse an OT-aware incident response plan that includes safe, deliberate shutdown procedures and manual fallback processes for critical production.
- Treat seasonal and time-sensitive operations as high-risk windows, hardening monitoring and response readiness when downtime carries the greatest operational and financial cost.
Sources: Ransomware Attack Shuts Down Mills of Australia's Second-Largest Sugar Producer - SecurityWeek