WASHINGTON - A cybercriminal group that took responsibility for a massive ransomware attack that affected hundreds of businesses this month has disappeared from sight online.
REvil, which is thought to be based in Russia, was not in its usual places on the “dark web” and the regular Internet . Many researchers have blamed the group for the huge hack that hit technology services provider Kaseya just hours before the beginning of the Fourth of July weekend.
That attack affected a software used by hundreds of businesses and locked up victims’ files so they could no longer access them. Organizations ranging from a grocery chain in Sweden to a school in New Zealand to small Maryland towns were racing to get their systems back online after the attack.
REvil’s sites went down early Tuesday, according to cyber analysts. The last known response from the group’s servers was around 1 a.m. Wednesday, said Allan Liska, a researcher with cybersecurity firm Recorded Future.
 “Someone went in and removed the IP address” linked to the domain hosting the group’s sites, said Dmitri Alperovitch, president of the think tank Silverado Policy Accelerator and former chief technology officer of the cyber firm CrowdStrike.
The group’s blog is reachable on the dark web, a portion of the Internet that is not easily navigable by search engine, he said. But the more critical sites, which are used to negotiate with the group and receive decryption tools, are on the regular Internet, he said. All were down Wednesday.
The domain registrar is TLD Registrar Solutions, which is headquartered in London, Alperovitch said. Attempts to reach the firm Wednesday were not successful.
The reason behind the site outage is unclear. It could have been the result of a request by law enforcement — British, American or some other government — to the domain registrar. It could have been the group itself feeling pressured.