As part of a coordinated effort that began about a week and a half ago, Microsoft and its partners have almost completely disabled an elusive botnet that had infected more than a million computing devices since late 2016.

Called Trickbot, the botnet is run by criminals and has been used for a "wide range of malicious activities," including spreading ransomware (a type of malware that encrypts data so that victims cannot access their files). The only way to unlock a file is with a decryption key. Typically, malware authors demand a ransom (often in bitcoins) in exchange for unlocking the victim's files. In some cases, there is a deadline for paying the ransom, while in others, the data is permanently deleted.

"Adversaries can use ransomware to infect computer systems used to maintain voter rolls and report election night results, and seize those systems at a time optimized to incite confusion and distrust," Microsoft explained earlier this week.

Microsoft obtained a court order to work with telecommunications providers around the world. According to Microsoft, Trickbot is particularly dangerous because its modular structure allows it to constantly evolve, making it more difficult to detect and remove than static malware.

For the past four years, Trickbot has been infecting computers and IoT devices, including wireless routers; Trickbot not only provides ransomware that once crippled the IT network of a German hospital, but also hijacks web browsers to steal login It has also been used to steal information and conduct spam and spear-phishing campaigns.

Microsoft says it first discovered 69 servers at the core of Trickbot's various operations. Within a short period of time, 62 of those servers were taken offline.

"The remaining seven servers were not traditional command and control servers, but Internet of Things (IoT) devices that Trickbot had infected and used as part of its server infrastructure. As expected, the criminals controlling Trickbot scrambled to replace the infrastructure we initially disabled," Microsoft said in a new blog post.

Through continuous tracking, Microsoft discovered 59 additional servers that the Trickbot operators attempted to add to the mix and subsequently disabled 58. This means that Microsoft has disabled 120 of the 128 Trickbot servers it discovered.

This is an ongoing attack, and according to Microsoft, the number will inevitably change. Says the company, "This is a daunting task and not necessarily a straight line to success." However, the company is optimistic that it has dealt a major blow to Trickbot's operations and can get ahead of things.