A cyberattack on Australia’s second-largest sugar producer has forced farmers to keep crops in the ground, and looks like denting their incomes. Mackay Sugar, based in the Australian state of Queensland, processes sugar cane farmed in nearby districts. The company disclosed a cyberattack on June 10 and limited operations while it dealt with the fallout. Some operations remain restricted, but the company said on Monday that it managed to perform some manual crushing at its Farleigh Mill site, working with sugar cane that was harvested before the attack. “Significant progress has been made over the weekend in restoring the systems that support cane supply, harvesting, and mill operations,” Mackay Sugar said in a statement. “Steam trials are now underway, and subject to final validation activities, some harvesting is expected to recommence this week in preparation for the staged restart of crushing operations later this week.” While the company is optimistic it can resume crushing, it's advised growers not to harvest their crops for the time being. That edict works for Mackay Sugar because sugar producers need to process crops within 48 hours of harvest. Doing so preserves high sugar content and overall yield. Delaying the processing for any longer after harvesting could result in sucrose converting to simple sugars, unwanted fermentation, and lower yields. But late harvesting can reduce the quality of cane, reducing the price they earn for their crops. Interrupted harvesting also impacts the railways used to move cane from farms to mills. Mackay Sugar acknowledged the impact its downtime could have on growers and other partners, and committed to restoring systems safely. “We are communicating directly and regularly with our employees, growers, and key partners,” it said. “We recognise the impact this incident is having on our growers, and we are doing everything we can to support them and to safely resume full operations as soon as possible. “We take our responsibility to protect our systems, operations, and information very seriously. We apologise for any disruption this incident has caused and will continue to provide updates as we continue our investigation.” The company operates three mills across Queensland, two of which were operating at a limited capacity due to the attack. Its Racecourse Mill, described as the heart of the business and home to its corporate offices, was among those affected. Racecourse Mill typically generates 213,000 tons of raw sugar and 58,000 tons of molasses a year, and the site’s cogeneration plant generates 156,000 MWhs of renewable electricity a year, around 71 percent of which is sent back into the national electricity grid. Mackay’s mill in Farleigh, the company’s oldest, was also affected. It typically produces around 196,000 tons of raw sugar and 49,000 tons of molasses per year. The company’s largest and most productive factory, Marian Mill, was unscathed. Ungentlemanly conduct Cybercrime group The Gentlemen claimed responsibility for the attack on Mackay Sugar, posting the company to its data leak site without offering any details about the attack or whether it stole data to use as leverage for extortion demands. Cyber threat intelligence professionals have known of the group for almost a year, after spotting it in July 2025 and classifying it as a ransomware-as-a-service provider. However, there is no evidence that ransomware was used in the attack on Makay Sugar. The company has never mentioned ransomware in its statements, referring to the attack only as a “cyber security incident.” However, The Gentlemen is known for using file-encrypting malware in its double extortion attacks. The group caught the attention of Microsoft’s researchers, who last month published a deep dive into how it carries out attacks. Microsoft’s report noted that not only do The Gentlemen affiliates have access to a powerful file encryptor, but also one that self-propagates, which “increases the likelihood of widespread impact once initial access is achieved.” It has also recently established a partnership with BreachForums, which allows the group to recruit prospective new affiliates with different skillsets, such as penetration testers and initial access brokers. ®