The total number of cybersecurity attacks fell by 35 percent in the last quarter of 2016, according to a new report, but the attacks became more targeted and sophisticated.
"We were kind of surprised," said Jon Heimerl, manager of the threat intelligence communications team at NTT Security, which produced the report.
Instead of general-purpose exploit kits and broad scanning, the attackers are zeroing in on specific targets, he said.
"If I can get access to your systems and start doing things that appear authorized, it's not going to trigger alerts and I can get more information," he said. That requires a more sophisticated approach, and has a higher potential payoff.
"If I'm in your network for half a year, I'm going to do a lot more damage to your environment, than a quick $20,000 ransomware hit," he said. "But I still want that $20,000 hit."
The criminals are doubling down on strategies that work, he said, and easing back on the more scatter-shot, lower-return efforts.
"Ransomware is free cash, an immediate return on investment," he said. "They're not getting passwords or data that they have to go out and sell."
However, one major player actually switched away from ransomware half-way through 2016 and began focusing on the RIG exploit kit, a banking Trojan.
Another significant change was that Russia moved from 10th to third place as the source of attacks.
"But ransomware is still the bigger target because of the immediate payout," he added.
However, that doesn't necessarily mean that the attacks were initiated by Russian criminals.
Criminals using hosting providers or proxies or botnets-as-a-service located all around the world, so it is hard to get accurate attribution, said Heimerl.
It's also hard to determine whether a particular attack was related to criminals or nation states, he said.
"Some companies are saying, 'oh, it's a nation-state attack, we couldn't do anything about it'," he said. "It's a buzzword."
Plus, criminals are getting access to better and better tools, said Danica Blessman, NTT Security's senior threat intelligence analyst.
"More sophisticated tools are becoming available online that you would normally only see a nation-state actor use," she said.
The opposite is true as well, she added, with some nation-state hiring cyber mercenaries in order to disguise their activities.
"We saw a lot of conversation about nation-state attacks," said Heimerl. "But be careful with your blame, because it's not always them."
The report also included updated numbers for how much criminals were getting for stolen credit card numbers.
Stolen credit cards, including security cards, were fetching around $7 per card in the U.S. in December. Full identity dossiers were going for $30 each. Loyalty plan details are particularly interesting to criminals, the report said, because they often contain other personal information about the customer.