Labexpress (operating as Labexpress and Garonit Pharma)

Group

incransom

Status

Data leaked

Country

US

Sector

Business Services

Listed on leak site

May 30, 2026

Labexpress is a US-based pharmaceutical manufacturer operating under two legal entities (Labexpress and Garonit Pharma) sharing unified IT infrastructure. The company manufactures oral rinse products (CHG-based) and processes ANDA regulatory filings with the FDA. Operations include quality control, batch production, vendor management, and customer distribution.

Incransom claims to have exfiltrated 200 GB of internal data from Labexpress and Garonit Pharma's shared infrastructure, including complete Active Directory dumps, financial records, FDA regulatory dossiers, employee PII, and pharmaceutical production data. The group states data will be publicly released.

• Active Directory domain structure (65 computers, 142 accounts)
• QuickBooks financial data and invoices
• FDA ANDA dossiers and regulatory correspondence
• Batch records and HPLC stability study data (2023–2026)
• Certificates of Analysis and Certificates of Conformance
• Employee contracts, W-9 forms, passport scans, Green Cards
• Health insurance records and tax documentation
• Customer purchase orders and vendor contracts
• Exchange mailbox exports
• Scanned employee documents (IDs, bank letters, credit card forms)

LABEXPRESS & GARONIT PHARMA: 200 GB OF SHARED INFRASTRUCTURE We have obtained 200 GB of internal data from a US-based group operating under two legal entities: Labexpress and Garonit Pharma. The materials show a single Active Directory domain (LABEXPRESS1.local), a shared file server, and extensive cross‑company records. This data will be made publicly available in the near future. Active Directory Overview - 65 computers, 142 user accounts, 98 groups, 11 organizational units (OUs). - Domain controllers: DC01 (Server 2019), LABXDC01 (Server 2012 R2). - A single AD domain serves both Labexpress and Garonit Pharma. Notable account: cn: Troy Austin sAMAccountName: Taustin memberOf: QuickBooks, LABEXPRESS, LABEXPRESSUSERS The same person appears in Exchange mailboxes as [email protected]. Weak Passwords and Brute‑Force Indicators - Administrator account: 3,193 failed logon attempts, last successful logon 2026-04-30. - Computer accounts FRONTDESK$, DEV$, LABEL$ – more than 3,000 failures each. - Cleartext password found on FILE01\passwords.txt: Admin: LabExpress2024! - The Domain Admins group includes: Administrator, labadmin, adminiss, Protect, xtratech, LAE009-CT. - Password for user Protect: Password123! - Outdated password templates in the “SBSUsers” OU are still in use. Mail Servers and Exchange - LABSERVER2 runs Windows Server 2003 SP2 with Exchange 2007. - Full mailbox export performed using the built‑in Export-Mailbox cmdlet – no special exploit required. Contents of the Obtained Data (200 GB) We have data from drive E:\, including: 1. Financial & Accounting - QuickBooks Enterprise 2021 installer and data files (QB2021.DSN, QB2021.ND). - Folder: E:\Garonit Documents\Clients 2022\ – hundreds of invoices, COAs, and COCs (e.g., Amtrade International INV# 50268.pdf for ~21M USD, Estee Lauder Inv# 24.pdf). - Folder: E:\Garonit Documents\ACCOUNTS PAYABLES 2022 09 22\ – detailed accounts payable records for 50+ vendors. 2. Quality & Production - Thousands of COA/COC files (e.g., CHG 20% Lot 429012 CoA.pdf, COC CHG 20%, Lot# 705103.docx). - Complete batch records for 2023–2026 (folders Batch Records\2023, 2024, 2025, 2026). - Stability study protocols and raw HPLC data for CHG 0.12% Oral Rinse. 3. ANDA & Regulatory Documentation - Folder “00 Oral Rinse ANDA-Old One” – complete ANDA dossier, including DMF, method validation, stability, and correspondence with the FDA. - Files: ANDA Checklist-Oral Rinse.docx, DMF Assessment in advance.pdf. 4. Vendor & Customer Records - Folder: E:\Garonit Documents\Vendor from 2022 07 19 TO 2022 09 21\Vendor\ – dossiers on each supplier (contracts, invoices, assessments). - Folder: E:\LABEXPRESSDATA\ALL LEI ORDERS\ – customer purchase orders and sales quotations. 5. Human Resources (HR) - Folder: E:\LABEXPRESSDATA\HUMAN RESOURCES\ – employment contracts, W‑9 forms, tax deductions, resignation letters. - Passport scans, Green Card copies, health insurance records for many employees. - Files: Employee Handbook.pdf, PTO Request Form.docx, Time off request form.pdf. 6. Internal Communications & Scans - Directory “C224E BIZHUB SCANNER DUMPS” containing subfolders named after employees (Burcu, Frank, Iliany, Kelvin, Dave, Randy, Sudhir, etc.). - Scans include: Green Cards, IDs, credit card authorization forms, bank letters, and correspondence with the IRS. - Examples: Burcu Green Card.pdf, Rohit Garg X-Ray.pdf, SKM_C250i... (thousands of scanned documents). 7. Tax & Banking Documentation - Correspondence with the IRS, State of New Jersey, Valley National Bank, Citibank. - Files: IRS Notice Lab Express.pdf, Valley Bank Garonit Deceember 2020.pdf, Credit Application, Bank instructions.pdf. Shared Infrastructure – Observed Facts - The same Active Directory domain and file server (drive E:\) store data for both Labexpress and Garonit Pharma. - Cross‑company records reside in the same folders (e.g., “Garonit Documents” and “LABEXPRESSDATA” coexist on the same drive). - User Troy Austin has an AD account (Taustin) and also uses the email address [email protected]. - Purchase orders, invoices, COA/COC files refer to both companies interchangeably. - At the IT level, there is no separation between the two legal entities. The obtained data demonstrates that Labexpress and Garonit Pharma operate on a single, shared IT infrastructure. All files, accounts, mailboxes, and production records are stored on the same systems. A 200 GB archive will be publicly released in the near future.

• Victim sitewww.labexpress.com
• Leak posthttp://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/blog/disclosures/6a0fdc7bd152110a6a5e7814

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.