Ransomware Group incransom Hits: www.labexpress.com

We have obtained 200 GB of internal data from a US-based group operating under two legal entities: Labexpress and Garonit Pharma. The materials show a single Active Directory domain (LABEXPRESS1.local), a shared file server, and extensive cross‑company records. This data will be made publicly available in the near future.

Active Directory Overview

– 65 computers, 142 user accounts, 98 groups, 11 organizational units (OUs).
– Domain controllers: DC01 (Server 2019), LABXDC01 (Server 2012 R2).
– A single AD domain serves both Labexpress and Garonit Pharma.

Notable account:
cn: Troy Austin
sAMAccountName: Taustin
memberOf: QuickBooks, LABEXPRESS, LABEXPRESSUSERS
The same person appears in Exchange mailboxes as [email protected].

Weak Passwords and Brute‑Force Indicators

– Administrator account: 3,193 failed logon attempts, last successful logon 2026-04-30.
– Computer accounts FRONTDESK$, DEV$, LABEL$ – more than 3,000 failures each.
– Cleartext password found on FILE01passwords.txt:
Admin: LabExpress2024!
– The Domain Admins group includes: Administrator, labadmin, adminiss, Protect, xtratech, LAE009-CT.
– Password for user Protect: Password123!
– Outdated password templates in the “SBSUsers” OU are still in use.

Mail Servers and Exchange

– LABSERVER2 runs Windows Server 2003 SP2 with Exchange 2007.
– Full mailbox export performed using the built‑in Export-Mailbox cmdlet – no special exploit required.

Contents of the Obtained Data (200 GB)

We have data from drive E:, including:

1. Financial & Accounting
– QuickBooks Enterprise 2021 installer and data files (QB2021.DSN, QB2021.ND).
– Folder: E:Garonit DocumentsClients 2022 – hundreds of invoices, COAs, and COCs (e.g., Amtrade International INV# 50268.pdf for ~21M USD, Estee Lauder Inv# 24.pdf).
– Folder: E:Garonit DocumentsACCOUNTS PAYABLES 2022 09 22 – detailed accounts payable records for 50+ vendors.

2. Quality & Production
– Thousands of COA/COC files (e.g., CHG 20% Lot 429012 CoA.pdf, COC CHG 20%, Lot# 705103.docx).
– Complete batch records for 2023–2026 (folders Batch Records2023, 2024, 2025, 2026).
– Stability study protocols and raw HPLC data for CHG 0.12% Oral Rinse.

3. ANDA & Regulatory Documentation
– Folder “00 Oral Rinse ANDA-Old One” – complete ANDA dossier, including DMF, method validation, stability, and correspondence with the FDA.
– Files: ANDA Checklist-Oral Rinse.docx, DMF Assessment in advance.pdf.

4. Vendor & Customer Records
– Folder: E:Garonit DocumentsVendor from 2022 07 19 TO 2022 09 21Vendor – dossiers on each supplier (contracts, invoices, assessments).
– Folder: E:LABEXPRESSDATAALL LEI ORDERS – customer purchase orders and sales quotations.

5. Human Resources (HR)
– Folder: E:LABEXPRESSDATAHUMAN RESOURCES – employment contracts, W‑9 forms, tax deductions, resignation letters.
– Passport scans, Green Card copies, health insurance records for many employees.
– Files: Employee Handbook.pdf, PTO Request Form.docx, Time off request form.pdf.

6. Internal Communications & Scans
– Directory “C224E BIZHUB SCANNER DUMPS” containing subfolders named after employees (Burcu, Frank, Iliany, Kelvin, Dave, Randy, Sudhir, etc.).
– Scans include: Green Cards, IDs, credit card authorization forms, bank letters, and correspondence with the IRS.
– Examples: Burcu Green Card.pdf, Rohit Garg X-Ray.pdf, SKM_C250i… (thousands of scanned documents).

7. Tax & Banking Documentation
– Correspondence with the IRS, State of New Jersey, Valley National Bank, Citibank.
– Files: IRS Notice Lab Express.pdf, Valley Bank Garonit Deceember 2020.pdf, Credit Application, Bank instructions.pdf.

Shared Infrastructure – Observed Facts

– The same Active Directory domain and file server (drive E:) store data for both Labexpress and Garonit Pharma.
– Cross‑company records reside in the same folders (e.g., “Garonit Documents” and “LABEXPRESSDATA” coexist on the same drive).
– User Troy Austin has an AD account (Taustin) and also uses the email address [email protected].
– Purchase orders, invoices, COA/COC files refer to both companies interchangeably.
– At the IT level, there is no separation between the two legal entities.

The obtained data demonstrates that Labexpress and Garonit Pharma operate on a single, shared IT infrastructure. All files, accounts, mailboxes, and production records are stored on the same systems. A 200 GB archive will be publicly released in the near future.