More than a week after a cyberattack disrupted operations at Australia's second-largest sugar producer, the company said it is investigating claims by a ransomware group as it continues to restore its systems.

The threat actor known as Gentlemen claimed responsibility for the incident at Mackay Sugar, which disrupted sugar mill operations across one of the country's largest cane-growing regions.

Mackay Sugar has not attributed the incident to a specific threat actor or confirmed Gentlemen's involvement. However, in a statement on Wednesday, the company said it was aware of the hackers' claim on the group's dark web leak site and had found evidence that an external party had accessed parts of its IT environment.

"We are working urgently to verify these claims, including the nature and extent of any information that may have been accessed," the company said.

The cyberattack earlier this month forced two of Mackay Sugar's mills to suspend operations shortly after the annual sugarcane crushing season began, bringing harvesting to a halt across large parts of Queensland's Mackay region. The company's Racecourse and Farleigh mills have remained shut since June 10, while its third facility avoided disruption because it was not operating at the time of the attack.

The company said it continues to restore systems and expects some harvesting to resume this week.

"We recognize the impact this incident is having on our growers, and we are doing everything we can to support them and to safely resume full operations as soon as possible," Mackay Sugar said.

The company, which operates three mills and says it generates more than $420 million in annual revenue, supplies raw sugar to domestic customers and export markets including South Korea, Indonesia, Japan and Malaysia.

The ransomware group Gentlemen claimed responsibility for the attack this week, saying it would publish allegedly stolen data if a ransom is not paid. The group did not disclose what information it claims to have obtained or specify its demands, and Mackay Sugar has not revealed whether it has made contact with the group.

Australian law requires victims of ransomware attacks to report to the government any extortion payments made to cybercriminals on their behalf.

According to cybersecurity firm ESET, Gentlemen emerged in late 2025 and has rapidly become one of the most active ransomware operations this year. The group operates a ransomware-as-a-service model, offering affiliates up to 90% of ransom payments, and employs double-extortion tactics by stealing data in addition to encrypting systems.

Researchers say its operators previously worked with ransomware groups including Qilin, Embargo, LockBit, Medusa and BlackLock. While the group's origins remain unknown, security researchers have found evidence suggesting its founder is a Russian speaker.