The Aftermath of the Kaspersky Ban

Written by Pedro Umbelino

Principal Research Scientist

Written by Jake Olcott

VP of Communications and Government Affairs, Bitsight

In the spring of 2024, amid growing international concern about supply chain risk and the trust and reliability of technology suppliers, the United States banned Kaspersky Lab, Inc., the Russia-based antivirus company from providing its products to the US market. The ban went into effect on September 30, 2024.

What impact has the ban had on US and global usage of Kaspersky? Has it been effective? A new analysis from Bitsight contains some surprising results.

Key takeaways

Active use of Kaspersky products remains prevalent within the US nearly 3 months after the ban went into effect.
More than 40% of US organizations observed to be using Kaspersky products before the prohibition was announced in June still appear to be using the products.
The ban has had a significant impact on global usage of Kaspersky, with dramatic decreases in usage observed in organizations operating in countries that do not have formal bans on Kaspersky technology.

Background and timeline

The US Department of Commerce's Bureau of Industry and Security (BIS) announced in June 2024 the prohibition of Kaspersky Lab, Inc., the US subsidiary of the Russia-based anti-virus software and cybersecurity company, from directly or indirectly providing antivirus software and cybersecurity products or services in the US or to US persons. This prohibition includes public and private sector usage of Kaspersky products.

In recommending the ban, BIS determined that Kaspersky posed an undue or unacceptable risk to US national security. According to the prohibition, Kaspersky is no longer able to sell its software within the US or provide any updates to software already in use. Enterprises using Kaspersky in the US were encouraged to find alternative solutions.

The ban went into effect on September 29, 2024.

It was reported in September that Kaspersky customers in the US had their Kaspersky software replaced without warning with a new antivirus solution called UltraAV. Kaspersky reportedly partnered with UltraAV and began automatically providing software updates to UltraAV. While Kaspersky officials stated that the purpose of the new software installation was to protect its customers, some within the national security community raised questions about the propriety of the installation and the risks of providing root-level access to Kaspersky

The US is one of the only countries to ban Kaspersky usage in the public and private sectors. Other countries have banned or restricted the use of Kaspersky from government devices or national security department usage (e.g. Canada, Italy, UK) or issued warnings against using Kaspersky software in public and private sectors (e.g. Germany).

Research methodology

Bitsight’s analysis is based on observing connections/communications between global IP addresses that we attribute to specific organizations and Kaspersky update servers. While we believe this is a strong indicator of product usage by organizations, we acknowledge this approach may capture traffic that is used to perform security research, testing, reconnaissance, or other intelligence collection activities about Kaspersky update servers. Bitsight published our original findings about global use of Kaspersky products in July 2024.

Post-ban view of Kaspersky usage

In summary, Bitsight analysis indicates that global usage of Kaspersky products has dropped significantly since the US ban. Interestingly, while US usage rates have declined, Kaspersky products are still prevalent in the US even after the ban effective date. We even observe some government organizations in the US that still appear to be using Kaspersky products. Here are three ways we broke it down:

1. Declining global use of Kaspersky

Let’s start with the obvious: the US ban on Kaspersky has indeed had a significant, measurable impact on global usage of Kaspersky products, which has dramatically decreased since the beginning of the year.

In April 2024, Bitsight was observing a pattern of nearly 22,000 global organizations and over 7 million unique IP addresses communicating monthly with Kaspersky update servers. In the most recent checks of our data (November 30, 2024), we see that number has fallen to around 8,000 global organizations and 2 million unique IP addresses. The dotted lines in the chart below represent the time that the proposed ban was announced in June and when the ban went into effect at the end of September.

kaspersky number of ips — Kaspersky update: research shows a decline in organization and IP count

2. Declining use of Kaspersky by country

The next chart shows the decrease in the number of organizations using Kaspersky products by country after the US ban became effective in September 2024. It is important to note that there are still more than 1,000 US organizations observed to be connecting to Kaspersky update servers even after the ban went into effect. The US is the country with the largest number of organizations observed by Bitsight to be using Kaspersky products.

kaspersky number of orgs — Kaspersky ban news: research shows a decline in organization usage globally since ban was announced

The chart below highlights the rate at which organizations within various countries were observed to remove Kaspersky products from April until November 30, 2024. Bitsight observes that only 58% of US organizations observed earlier in the year to be using Kaspersky products appear to have eliminated their Kaspersky usage.

Kaspersky by country — Kaspersky ban research by country

Interestingly, Bitsight has observed faster removal of Kaspersky products in recent months by organizations in countries that did not institute outright bans on Kaspersky compared with the US. It is interesting to observe reduced usage by organizations in countries like Germany, UK, and Italy. These countries have either banned Kaspersky usage in government devices or, in the case of Germany, issued a warning against using Kaspersky software in the public and private sectors. Each of these countries has a higher observed reduction in usage compared to the US. For example, we observed a 69% decline in Kaspersky usage in Germany from April to November compared with the 58% US decline. The decline in Kaspersky usage in Poland is also noteworthy given that country’s contentious relationship with Russia and its 2022 effort to impose sanctions on Kaspersky founder Eugene Kaspersky.

3. The US view: Top 10 sectors by usage

A closer examination of the US data shows a decline in usage across the 10 sectors that were observed to be the highest users of Kaspersky technology. The US Technology sector was the heaviest observed user of Kaspersky products; even after the ban, hundreds of Tech organizations still appear to be using Kaspersky. Note that 19 government agencies in the US were observed to be communicating with Kaspersky update servers as of Nov. 30, 2024.

kaspersky by sector — Kaspersky ban research by sector

Future considerations for policymakers

The US government announcement of the prohibition of Kaspersky has clearly impacted the global usage of Kaspersky products, both in the US and internationally. But the data reveals a more complicated story. On the one hand, the ban appears to not have completely eliminated Kaspersky usage in the US by the deadline imposed. Equally interesting is the impact that the US ban appears to have on Kaspersky usage in other countries, even in locations that had previously announced their own restrictions and warnings.

With growing government concern about supply chain risk and the trust/reliability of technology suppliers themselves, we expect policymakers will consider implementing technology warnings, restrictions, and bans in order to achieve economic and national security outcomes.

As policymakers weigh these approaches, they should consider the following:

How can policymakers measure the current usage of technology within their borders, including by sector/industry?
Which is more effective in achieving policy goals: a technology warning or a technology ban?
How does the use of incentives and/or penalties impact adherence to or compliance with technology warnings and/or bans?
How should policymakers evaluate the effectiveness of technology warnings and/or bans? For example, is a ban effective even if it doesn’t result in 100% elimination of the technology by the date of the ban?
How do technology restrictions, warnings and bans issued by certain countries impact others?

Given the new incoming administration and potential scrutiny of supply chain issues, we will continue to track these developments and to help our customers understand if they have assets using Kaspersky in their inventory or across their third party ecosystem so they can take the proper actions. For more information, please contact us!