Back to Intelligence

The Gentlemen Ransomware: Defending Critical Infrastructure Against Encryption Attacks

SA
Security Arsenal Team
June 15, 2026
5 min read

A critical incident has struck the food and beverage sector, confirming that operational technology (OT) and industrial control systems (ICS) remain prime targets for cybercriminals. Mackay Sugar, Australia’s second-largest sugar producer, recently fell victim to an encryption-based cyberattack attributed to a threat group known as "The Gentlemen." The attack forced the shutdown of milling operations, disrupting the supply chain and underscoring the devastating business continuity impact of modern ransomware.

For defenders, this is a wake-up call. When a threat actor moves laterally from IT to OT, the consequences shift from data loss to physical process disruption. We need to move beyond standard endpoint protection and implement detection mechanisms specifically tailored to identify the precursors of mass encryption in industrial environments.

Technical Analysis

Threat Actor: The Gentlemen Target: Mackay Sugar (Food & Beverage / Critical Infrastructure) Attack Vector: Encryption-based cyber incident (Ransomware) CVE Identifiers: None explicitly disclosed in the initial intelligence.

While the specific initial access vector (IAV) for this incident—whether phishing, exposed Remote Desktop Protocol (RDP), or a VPN vulnerability—remains under investigation, the operational impact is clear: mass encryption of data files necessary for milling operations.

From a defender's perspective, "encryption-based" attacks typically follow a predictable chain of events once inside the perimeter:

  1. Discovery & Credential Dumping: The threat actor enumerates the network, identifying high-value servers and industrial workstations.
  2. Lateral Movement: Moving from the corporate IT network into the OT environment, often traversing poorly segmented firewalls.
  3. Defense Evasion: Disabling security tools and deleting Volume Shadow Copies to prevent recovery.
  4. Impact: Execution of the encryption payload to lock files and disrupt operations.

Exploitation Status: Confirmed active exploitation resulting in operational shutdown.

Detection & Response

To detect "encryption-based" activity like that executed by The Gentlemen, we must focus on the behaviors that occur immediately before and during file encryption. This includes the abuse of legitimate system administration tools to delete backups and the rapid modification of file entropy.

SIGMA Rules

YAML
---
title: Potential Ransomware Shadow Copy Deletion
id: 8a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects attempts to delete Volume Shadow Copies using vssadmin or wmic, often a precursor to ransomware execution.
references:
  - https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2026/04/22
tags:
  - attack.impact
  - attack.t1490
logsource:
  category: process_creation
  product: windows
detection:
  selection_vssadmin:
    Image|endswith: '\vssadmin.exe'
    CommandLine|contains: 'delete shadows'
  selection_wmic:
    Image|endswith: '\wmic.exe'
    CommandLine|contains: 'shadowcopy delete'
  condition: 1 of selection*
falsepositives:
  - Legitimate system administration maintenance (rare in OT)
level: high
---
title: Suspicious Mass File Encryption Pattern
id: 9d2e3f4a-5b6c-7d8e-9f0a-1b2c3d4e5f6a
status: experimental
description: Detects processes that rapidly create or modify files with new extensions, indicative of ransomware encryption.
references:
  - https://attack.mitre.org/techniques/T1486/
author: Security Arsenal
date: 2026/04/22
tags:
  - attack.impact
  - attack.t1486
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '.encrypted'
      - '.locked'
      - '.gentlemen' # Hypothetical extension based on actor name
    Image|endswith:
      - '.exe'
      - '.dll'
  timeframe: 1m
  condition: selection | count() > 50
falsepositives:
  - High-volume data processing or archival tasks
level: critical

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for deletion of system backups and shadow copies
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("delete shadows", "shadowcopy delete", "/quiet")
| where FileName in~ ("vssadmin.exe", "wmic.exe", "powershell.exe", "cmd.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious processes interacting with file system handles in mass
SELECT Pid, Name, CommandLine, Exe, Username,CreateTime
FROM pslist()
WHERE Name =~ 'cmd.exe'
   OR Name =~ 'powershell.exe'
   OR Name =~ 'vssadmin.exe'
   OR Name =~ 'wmic.exe'
-- Secondary hunt for processes holding open many file handles (common in encryption)
SELECT Pid, Name, Count(Handle) as HandleCount
FROM handles()
GROUP BY Pid, Name
HAVING HandleCount > 1000

Remediation Script (PowerShell)

PowerShell
# Script to verify integrity of Volume Shadow Copies and identify common ransomware precursors
Write-Host "Checking Shadow Copy Storage status..."
$vssStatus = vssadmin list shadows
if ($vssStatus -match "No shadows found") {
    Write-Host "[CRITICAL] No Volume Shadow Copies found. Possible deletion event." -ForegroundColor Red
} else {
    Write-Host "[INFO] Shadow Copies appear to exist." -ForegroundColor Green
}

Write-Host "Scanning for common ransomware processes..."
$suspiciousProcs = @("vssadmin", "wmic", "bitsadmin", "taskkill")
foreach ($proc in $suspiciousProcs) {
    $found = Get-Process -Name $proc -ErrorAction SilentlyContinue
    if ($found) {
        Write-Host "[WARN] Found process $proc running." -ForegroundColor Yellow
    }
}

# Check for recent file modifications in common user directories (last 1 hour)
Write-Host "Checking for mass file modifications..."
$timeThreshold = (Get-Date).AddHours(-1)
$modifiedFiles = Get-ChildItem -Path "C:\Users" -Recurse -ErrorAction SilentlyContinue | 
                 Where-Object { $_.LastWriteTime -gt $timeThreshold -and $_.Length -gt 0 }

if ($modifiedFiles.Count -gt 100) {
    Write-Host "[ALERT] High volume of file modifications detected in the last hour." -ForegroundColor Red
}

Remediation

In response to the "The Gentlemen" attack on Mackay Sugar and similar threats to the manufacturing sector, immediate defensive actions are required:

  1. Network Segmentation (IT/OT Isolation): Ensure strict segmentation between the corporate network and the OT environment. This attack vector often relies on traversing from IT to OT. Implement a DMZ with strict access control lists (ACLs) limiting RDP, SMB, and RPC traffic.

  2. Disable Unused Protocols: In ICS environments, protocols like SMBv1 and unnecessary RDP ports should be blocked at the firewall level. If RDP is required for vendors, enforce MFA and VPN gateway access.

  3. Backup Recovery Verification: Offline backups are the primary remediation for encryption-based attacks. Verify that recent backups of SCADA/HMI configurations and process data are isolated from the network (immutable).

  4. User Awareness: Given that initial access often involves phishing, conduct immediate security awareness training for staff with access to industrial networks, specifically focusing on identifying social engineering tactics used by groups like "The Gentlemen."

  5. Vendor Advisory: Continue monitoring updates from the Australian Cyber Security Centre (ACSC) and vendors for specific IoCs (Indicators of Compromise) related to this campaign.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirics-securityoperational-technologythe-gentlemen

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action