What we know about the 'kill switch' in 'Petya' ransomware attack 

iStock/Thinkstock(MOSCOW) -- Cybersecurity researchers have been racing to analyze the new ransomware that struck Tuesday, first hitting Ukraine in an avalanche of attacks before spreading to companies around the world.

The malicious software has been identified as a modified version of a previously known ransomware called Petya or Petrwrap, but has been substantially altered, prompting a debate among researchers over whether it represents new malware.

Here’s what we know:

How the malware works

The malware works by encrypting a computer’s hard disk, locking users out and then posting a ransom demand telling them to pay $300 to a bitcoin account to unblock it.

At face value, it seems to resemble WannaCry -- the ransomware that locked out hundreds of thousands of computers in May -- but researchers have already noted some crucial differences.

A key difference so far has been that unlike WannaCry, researchers have not been able to find a so-called "kill switch" that shuts down this malicious code globally. But researchers believe they have found a temporary means of disabling the malware on individual computers.

One U.S. cybersecurity researcher, Amit Serper of Boston-based Cybereason, identified the fix on Tuesday night, and other researchers have since termed it a potential “vaccine” or “localized kill switch" for the malware. By changing a single file name, Serper found that users can trick the malware into shutting down on their individual computers.

Serper’s method has been confirmed by several other firms, but he has warned that it is only a temporary fix because large-scale attacks normally occur in several waves. Hackers may easily change the file names again, making the “vaccine” ineffective against the malware, which is technically a "worm" and not a virus because it is self-propagating.

Understanding the nature of the malware

Analysts are also still debating the nature of the malware. Petya was already known to researchers from 2016. But some believe the malware that struck Tuesday has been modified to the extent that it represents new malware, prompting some to give it the nickname “NotPetya.”

Russian cybersecurity firm Kaspersky Lab said it believed the software was a "new ransomware not seen before.” In light of the debate, cybersecurity news portal BleepingComputers termed it “SortaPetya.”

Where most researchers agree upon, however, is that the malware uses a tool developed by the U.S. National Security Agency (NSA) and later stolen by hackers.

Kaspersky Lab and other firms said the ransomware infects computers through an exploit termed EternalBlue, which takes advantage of a vulnerability in Windows operating systems. That same tool was used by WannaCry and was among a vast trove of cyberweapons stolen from the NSA last year by a group of hackers called the Shadow Brokers, which published the weapon online in April.

The use of the tool in a second major cyberattack in two months has prompted criticism directed at the NSA for losing control of the weapon.

After WannaCry, Microsoft issued patches for its Windows versions dating back to Windows XP that blocked the vulnerability; computers that have been updated with that patch were protected from the new attack. In a blog post, Kaspersky Lab explained how, after the malware has infected a machine, it immediately begins sending commands trying to infect other computers linked to it.

WannaCry was stopped after a young cybersecurity researcher in Britain inadvertently stumbled across a kill switch embedded in the malware. It was considered at the time an unlikely stroke of luck, abruptly curtailing the malware as it was racing into new networks.

The ransom message was linked to an email account where a message confirming the ransom payment is meant to be sent. But the German email provider, Posteo, quickly closed the account, in theory making the payments impossible. So far, the hackers have only received a few thousand dollars in ransoms, according to Wired.

Debating the hackers' intentions

Ukraine’s cyberpolice agreed that an update to the software known as ME-Doc had played a key role in unleashing the attack, noting in a statement that the update, far larger than those usually sent, went out around 10:30 a.m. local time to companies, with the malware then multiplying from there.

The police said they believed ME-Doc had been used unwittingly by hackers.

Some people have described the attack as primarily targeting Ukraine, with the international companies affected only as collateral damage of that attack, while some researchers have begun to suggest that attack could have been intended to cause damage rather than collect ransoms.

Senior researcher Nicholas Weaver of the International Computer Science Institute told the cybersecurity blog Krebs on Security that he believed it was possible it had really been an attack only “disguised as ransomware.”

“I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware,” he added.

Analysts were split on that theory, however.

How to fight the malware

Meanwhile, no similar kill switch has been found for Petya-NotPetya so far. Serper’s fix can rescue some individual machines.

To do the fix, users should create a new file called Perfc in the C:\Windows directory but without the file extension DLL that the malware contains. When the malware encounters the file, it is tricked into quitting, stopping the encryption.

Serper, the U.S. cybersecurity researcher, had been surprised that the fix worked. He was on vacation in Israel when the attack began, he told ABC News on Tuesday.

“I had three hours earlier where I had nothing to do, and I started reverse-engineering that malware,” Serper said.

Serper had been modifying the malware in his parents’ living room as they sat and watched TV, he added. He later talked another researcher through the process while at a bar with friends.

A hero among cybersecurity workers

He has since become a minor hero among cybersecurity workers after posting his method on Twitter. “I even got 35 job offers,” he said.

But he warned the fix is only partial and could quickly be circumvented. “This only stops this current outbreak,” Serper said. “If there will be another outbreak like WannaCry, where they had several waves of these attacks, they will probably change the name of the DLL or they might as well change how the function works.”

Who’s been affected

The attack spread rapidly Tuesday, taking in some of the world’s largest companies, including Danish shipping giant Maersk; the French multinational construction materials firm, Saint-Gobain; and U.S. pharmaceutical firm Merck & Co.

There are also questions around why the attack hit Ukraine and Russia so disproportionately. Kaspersky Lab found that about 60 percent of infections had occurred in Ukraine. There, ATMs were locked out, people found cash desks at some supermarkets, and post offices were also blocked.

Ukraine’s Cabinet of Ministers, the government administration, said its office computers had been hit. A number of large banks; the state railway system; Kiev’s chief airport, Borispol; an energy company; and several telecom providers reported themselves struck.

Even radiation monitoring at the destroyed Chernobyl nuclear power station was affected, with technicians forced to carry it out manually after their Windows computers were locked out, Ukraine’s government said.

Russian companies were also hit by the malware. The state-owned giant Rosneft tweeted it had suffered a major cyberattack around the time the ransomware outbreak was reported. The Russian business newspaper, Vedomosti, posted photographs of the ransom screens sent by workers at another oil company Bashneft, which Rosneft owns.

Group-IB, a Moscow-based cybersecurity firm, reported at least 80 companies had been hit in Russia and Ukraine. Russian steelmaker Evraz also said its systems were affected, according to the Russian state news agency, RIA Novosti. The Russian branch of a pet food producer owned by the U.S.-based Mars candymaker also reported an attack.

Ukrainian officials were quick to blame the attack on Russia, whose hackers have previously been linked to serious cyberassaults on critical infrastructure in the country. However, those had not involved ransomware. It is unclear who was behind Tuesday’s attack.

Copyright © 2017, ABC Radio. All rights reserved.


Homeland Security announces new security protocols for international flights to US

Moodboard/Thinkstock(WASHINGTON) -- Instead of expanding the laptop ban, the U.S. Department of Homeland Security has mandated new security measures for foreign flights headed directly to the United States, Secretary John Kelly said Wednesday.

"Terrorists want to bring down aircraft," Kelly said during a conference in Washington, D.C. "They still see aviation as the crown-jewel target."

"However, we are not standing on the sidelines while fanatics hatch new plots," he said. "We have the opportunity to raise the baseline of aviation security globally."

The updated protocols include "enhanced screening" of passengers and their electronic devices, as well as "seen and unseen" security around the aircraft and inside the airport, according to DHS. The updates affect 280 airports in 105 countries running about 2,000 flights daily -- adding up to 325,000 passengers every day.

If airlines can't, or won't, implement the new procedures, they will be banned from transporting personal electronic devices to the United States in both the cabin and the cargo hold.

But carriers at the 10 foreign airports already affected by the laptop ban -- instituted in March and unilaterally barring large personal electronic devices from the cabin, but not the cargo hold -- will have those restrictions lifted if they implement the new measures.

The new requirements come amid a "web of threats to commercial aviation" as terrorists work toward smuggling explosives onto jets inside laptops or other electronics, according to DHS.

"We cannot play international whack-a-mole," Kelly said Wednesday. "It is time that we raise the global baseline."

Officials declined to outline specifics of the procedures, citing security concerns. But passengers may notice more swabbing of passengers' hands and luggage in the gate area to test for explosive residue, sources told ABC News.

Updates will be phased in over the next few months, sources said.

Copyright © 2017, ABC Radio. All rights reserved.


Trump accepts invitation to visit France for Bastille Day celebrations

Chesnot/Getty Images(WASHINGTON) -- President Donald Trump will travel to France next month to attend the Bastille Day celebration in Paris and commemorate the 100th anniversary of the United States' entry into World War I, the White House said Wednesday.

Trump accepted the invitation from French President Emmanuel Macron. The two leaders met for the first time during Trump's overseas trip in May, just weeks after Macron's election victory.

The U.S.-French relationship under Trump has been called into question after the president criticized France's handling of terrorism. Trump also pulled the U.S. out of the Paris Climate Accord, notably saying that he was elected "to represent the citizens of Pittsburgh, not Paris."

The French government said that Trump and Macron will attend the Bastille Day parade in Paris on July 14 and that American soldiers would participate "alongside their French brothers in arms" in the parade.

"President Trump looks forward to reaffirming America’s strong ties of friendship with France, to celebrating this important day with the French people," the White House said in a statement.

Copyright © 2017, ABC Radio. All rights reserved.


Tillerson urges negotiation to end Gulf crisis but Saudis say no

State Department photo/ Public Domain(WASHINGTON) -- Secretary of State Rex Tillerson held another round of meetings Tuesday in an effort to end the crisis among its Gulf allies but was met with a continued impasse.

As the top U.S. diplomat urges restraint and negotiation, Saudi Arabia and the United Arab Emirates say their demands on neighbor Qatar are nonnegotiable.

And Qatar, meanwhile, says it is not even reviewing the demands from Saudi Arabia, the UAE and other Arab countries that moved earlier this month to isolate it for its alleged support of terrorism.

Tillerson on Tuesday met with the Qatari foreign minister, declining to answer reporters’ shouted questions about stalled talks beforehand. Later in the evening, he met with the Kuwaiti minister of state for cabinet affairs.

Kuwait, with the support of the U.S., is trying to mediate the dispute between Qatar on one side and Saudi Arabia, the United Arab Emirates, Bahrain and Egypt on the other.

Before the meeting with the Kuwaiti official, Tillerson told reporters, “We hope all the parties will continue to talk to one another in good faith.”

Afterward, Tillerson’s spokesperson Heather Nauert released a statement saying the secretary and Sheikh Mohammad Abdullah Al-Sabah of Kuwait “reaffirmed the need for all parties to exercise restraint to allow for productive diplomatic discussions. The secretary urged the parties to remain open to negotiation as the best way to resolve the dispute.”

But just hours earlier, Saudi Foreign Minister Adel al Jubeir told reporters that none of the 10 items on his group's list of demands are negotiable and that Qatar must meet them all.

They include: shutting down Qatar’s multinational news network, Al Jazeera; cutting back ties with Iran; ending support for the Muslim Brotherhood, Hamas, and other Islamist groups; and closing a Turkish military base.

“We stay where we are. We’ve made our point, we’ve taken our positions. If Qatar wants to come back into the [Gulf Cooperation Council] pool, they know what they have to do,” Jubeir said.

“If they don’t, they will remain isolated. We don’t have to deal with them… We don’t have to deal with a country that has done harm to us, unless they change their behavior,” he added.

To Saudi officials, Qatar's fulfilling their demands could mean meeting the spirit of some of them, without accomplishing each item itself. But either way, that hard line and willingness to leave Qatar -- a key U.S. ally that hosts nearly 10,000 troops supporting the fight against ISIS -- out in the cold is at odds with the U.S. view.

On the other side, the Qatari foreign minister told the Al Hurra news outlet that it will not respond until the Saudis and others provide evidence for their accusations. He told Al Jazeera “the demands must be realistic and enforceable and otherwise are unacceptable.”

All of this leaves the U.S. in a difficult spot -- torn between crucial allies who are no closer to an agreement despite weeks of public pressure, and some mixed messages, from the administration.

Going forward, the U.S. won’t weigh in on which demands Qatar should meet and which are unrealistic, but wants the two sides to figure that out, Nauert said at the briefing Tuesday.

“I don’t know that that’s for the State Department to weigh in at that level, because ultimately, these parties have to live with the decisions and the agreements that they make,” she said.

Al Jubeir denied that the timing of the crisis was tied to President Trump, after speculation that the Saudis and their allies felt emboldened to take action after the president’s visit to the Kingdom. And he wouldn’t say if there were talks to move the enormous U.S. air base in Qatar to the UAE or Saudi Arabia, saying that was an American decision.

Copyright © 2017, ABC Radio. All rights reserved.


Vibrant umbrella art display dazzles Sardinia visitors

iStock/Thinkstock(SARDINIA, Italy) -- Sardinia may be one of Italy's lesser-known destinations -- despite being the second-largest island in the Mediterranean Sea and boasting miles of beautiful beaches and rugged mountains -- but a small commune on the island has garnered worldwide attention with an inventive art display.

Every year, the council of Iglesias hangs vibrantly colored umbrellas over a street.

Not only do the multicolored umbrellas give a whimsical feel to the road, but at noon, they cast shadow circles on the pavement below.

People can be seen in this video, delighting as they pass underneath the art display.

The road, speckled with circular shadows, is lined with storefronts and quaint piazzas with Aragonese-style wrought-iron balconies.

The reasoning behind the umbrellas is not known, but Iglesias is home to two niche art galleries dedicated to mining. Iglesias is surrounded by what used to be Sardinia's lead, zinc and silver mining industries, and the town has two museums to the subject matter.

Copyright © 2017, ABC Radio. All rights reserved.


Former Trump campaign chair Paul Manafort registers as foreign agent for past work for Ukraine

Chip Somodevilla/Getty Images(WASHINGTON) -- Former Trump campaign Chairman Paul Manafort has registered as a foreign agent for past work on behalf of Ukraine, a spokesperson announced Tuesday.

Manafort registered with the Department of Justice's Foreign Agents Registration Act unit for his work on behalf of a political party in Ukraine, his spokesperson, Jason Maloni, said in a statement.

"Today, Paul Manafort registered with the Department of Justice's [Foreign Agents Registration] unit for his work on behalf of Ukraine's Party of Regions. He started this process in concert with FARA's unit in September, before the outcome of the election and well before any formal investigation of election interference began," Maloni said Tuesday.

"Paul's primary focus was always directed at domestic Ukrainian political campaign work, and that is reflected in [Tuesday's] filing. Paul has appreciated the professionalism and guidance of the FARA unit throughout this process."

Manafort's past work with Ukraine has haunted him in the last several months as he is among the people whose activities are under scrutiny as part of the House and Senate investigations into Russia's interference in the U.S. election in 2016 and possible ties to Trump associates.

Manafort was named campaign convention manager for Trump in March 2016. He was promoted to campaign chairman and chief strategist in May 2016 and resigned in August, after the New York Times reported that his name appeared on a list of so-called black ledger accounts made by the toppled Ukrainian president with amounts up to $12.7 million from 2007 to 2012

Copyright © 2017, ABC Radio. All rights reserved.


Massive cyberattack spreads ransomware across Europe, US

iStock/Thinkstock(MOSCOW) -- A massive cyberattack that freezes computers and demands a ransom to open them has hit companies in the U.S. and elsewhere around the world, U.S. officials and private cybersecurity analysts said Tuesday.

Among the American targets are the giant Merck pharmaceutical company in New Jersey; a major multinational law firm, DLA Piper; and possibly the Mondelez food company, which produces Oreo cookies.

According to American cybersecurity researchers, the ransomware attack used a global spam campaign to trick computer users into downloading malicious software that locks them out of their devices until they pay $300 in Bitcoin. The email address where victims can confirm payment is not working, however, making recovery impossible.

Researchers tell ABC News that tens of thousands of computers across multiple large organizations in at least four continents have been hit, with organizations in Russia and the Ukraine the most affected.

While several researchers identified the virus as a derivative of the “Petya” ransomware, Kaspersky Lab, which congressional sources told ABC News is itself under FBI scrutiny, disputed that assessment, concluding that the virus was “a new ransomware that has not been seen before” and dubbing it “NotPetya.”

Like the WannaCry attack in May, Tuesday’s ransomware appears to be using the hacking tools EternalBlue and DoublePulsar developed by the U.S. National Security Agency and leaked to the public by The Shadow Brokers hacker group. The virus exploits a vulnerability in Microsoft Windows to spread quickly throughout networks with outdated security software.

"Many researchers are seeing evidence that the NSA exploits are being used to propagate this," John Bambenek of Fidelis Cybersecurity told ABC News. "Some ineffective security defenses allowed this to happen as well."

On Tuesday afternoon, Amit Serper, a researcher at the Boston-based cybersecurity firm Cybereason, tweeted that he had found a way to stop the malware using the virus’ original file name, though he cautioned it was not a “generic kill switch” like the one discovered to stop WannaCry, but only a “temporary workaround.”

Early reports indicated the virus affected major companies in Russia and Ukraine as well as the world’s largest shipping firm, Maersk, according to the affected companies and government sources.

Ukraine appears to have been particularly hard hit, with the country’s government reporting that some of its systems, as well as those of key institutions, including banks and telecom providers, were affected. Even radiation monitoring at the Chernobyl nuclear power station was impacted, with technicians forced to take measurements around the ruined station manually after their Windows computers were knocked out, Ukraine’s government said.

Merck confirmed on Twitter that its network was infected.

"We confirm our company's computer network was compromised today as part of global hack," the company tweeted. "Other organizations have also been affected. We are investigating the matter and will provide additional information as we learn more."

A spokesperson for DLA Piper, a global law firm with offices in Washington, D.C., confirmed that malware spread to its system, saying, “The firm, like many other reported companies, has experienced issues with some of its systems due to suspected malware. We are taking steps to remedy the issue as quickly as possible.”

Mondelez International, a New Jersey–based food and drink company, released a statement saying its networks were down.

"The Mondelez International network is experiencing a global IT outage. Our global special situations management team is in place, and they are working to resolve the situation as quickly as possible. We will update as we have more information.”

Both the Department of Homeland Security and the FBI issued statements indicating that officials were aware of the attack and working to contain it.

"The Department of Homeland Security is monitoring reports of cyber attacks affecting multiple global entities and is coordinating with our international and domestic cyber partners," said the agency in a statement. "We stand ready to support any requests for assistance. Upon request, DHS routinely provides technical analysis and support. Information shared with DHS as part of these efforts, including whether a request has been made, is confidential."

"The FBI is aware of the reported global cyber attacks and takes all potential cyber compromises seriously," an FBI spokesperson told ABC News. "Threat mitigation, as well as bringing the perpetrators of cyber attacks to justice, are the FBI’s top priorities."

Photos of screens of affected computers and ATMs sent to ABC News and other media outlets showed the following message: "If you see this text, then your files are no longer accessible because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”

Maersk reported its IT systems were affected by the attack, with local media showing the same ransom message from the firm’s offices in Rotterdam, Reuters reported.

Russia's state-owned energy giant Rosneft said it suffered a major attack and in a statement on Twitter said it succeeded in halting it. Workers at another oil company, Bashneft, that is owned by Rosneft, sent photos to the Russian newspaper Vedomosti showing their screens locked with the same ransom message. An analyst at IB-Group told the Russian news site RNS that at least 80 companies were affected in Russia and Ukraine.

In Ukraine the virus struck the country’s government administration. Vice Prime Minister Pavlo Rozenko wrote on Facebook that the Cabinet’s office computers were all locked out. Ukraine’s central bank said a number of banks in the country were hit, as well as a state energy company. Some ATMs in the country were blocked and displayed the lock-out screen. Ordinary Ukrainians reported being unable to use some banking services. Local Ukrainian media reported that the country’s Borispol airport and national rail company were also attacked.

In a post on his Facebook page, Anton Gerashchenko, an adviser to Ukraine’s Interior Ministry, called the cyberattack the worst in the country’s history. Ukrainian officials, including a spokesperson for Ukraine’s SBU intelligence service, were quick to point fingers at Russia for the attack, though there was no evidence so far that Moscow was behind it.

Researchers told ABC News that they do not believe that a nation was behind the attack and suggested that it could have been launched by a lone cybercriminal.

"I think what’s happened here is someone is launching this tool to stock a Bitcoin wallet and is probably just surprised at how effective it is," said Erik Rasmussen, a former deputy prosecuting attorney and special agent with the U.S. Secret Service who now works for the cybersecurity firm Kroll. "This attack doesn't have a specific target, so it’s likely ransomware that’s gone awry and is just really good at doing damage."

Bambenek suggested that the surprise success of the virus has made its creator a top target for law enforcement.

"This individual has just put himself on the top of everybody’s dinner menu," he said.

Copyright © 2017, ABC Radio. All rights reserved.


Queen to receive massive pay boost from public funds

James Devaney/WireImage(LONDON) -- The Queen is getting a raise.

Queen Elizabeth II is expected to receive an 8 percent increase in income from public funding, according to the BBC.

The Sovereign Grant, which pays salaries for the royal household, is expected to be up just over £6 million (about $7.7 million) in 2018-2019, the BBC reports.

Sir Alan Reid, the Keeper of the Privy Purse, supports the pay boost, according to the BBC: "When you look at these accounts, the bottom line is the Sovereign Grant last year equated to 65p per person, per annum, in the United Kingdom.

"That's the price of a first class stamp.

"Consider that against what the Queen does and represents for this country, I believe it represents excellent value for money."

The increase in income will also cover extensive repairs on Buckingham Palace that are set to take 10 years. Lead pipes, cables, wiring, and boilers are expected to be replaced for the first time in 60 years as officials worry over fire hazards and possible water damage.

Copyright © 2017, ABC Radio. All rights reserved.


Brazilian President Michel Temer charged with corruption

Chris Graythen/Getty Images(RIO DE JANEIRO) -- Brazilian President Michel Temer has called a bribery charge filed against him, "fiction."

Temer was hit with an indictment by Brazil's chief prosecutor Rodrigo Janot filed with the Supreme Federal Tribunal on Monday, accusing the Brazilian leader of accepting bribes from an executive of JBS, a meatpacking firm involved in a corruption scandal.

"Where are the concrete proofs of my receiving this money?" Temer said in a televised address, according to the BBC.

"I will not allow myself to be accused of crimes that I did not commit."

Audio recordings were released last month with Temer apparently discussing bribes with JBS chairman Joesley Batista. The recording was presented in JBS plea bargain negotiations, the BBC reports.

Temer's predecessor, Dilma Rousseff, was removed from office nearly a year ago after the Senate found her guilty of breaking budget laws and voted in favor of impeachment.

Copyright © 2017, ABC Radio. All rights reserved.


Travel ban's 'bona fide relationship' test could open legal floodgates

iStock/Thinkstock(WASHINGTON) -- In allowing President Trump’s revised travel ban to partially take effect, the Supreme Court left key questions unanswered and likely opened the floodgates for additional litigation.

In a six-justice “per curiam” opinion, the high court ruled Monday that the administration could block entry of nationals from six Muslim-majority countries for 90 days and all refugees for 120 days with exceptions for foreign nationals who have a “credible claim of a bona fide relationship with a person or entity in the United States.”

But what is a “bona fide relationship?”

The test appears to be new and unprecedented in the context of immigration, legal experts told ABC News.

Heather Nauert, a State Department spokesperson, said in a press briefing Tuesday that lawyers for the Justice Department are in the process of determining what qualifies as a bona fide relationship.

“We don’t have a definition here at the State Department for that yet. None of the agencies has that definition just yet,” Nauert said. Once they have that definition and some guidance, they will share it with consular officers who review visa applications, she said, and may post it publicly online for visa applicants to see.

The court’s ruling provided some guidance on who should be granted entry to the U.S. under the “bona fide relationship” test: foreign nationals with family members in the U.S., students admitted to American universities, workers with U.S. job offers, and lecturers invited to address an American audience. But, the justices wrote, “not so someone who enters into a relationship simply to avoid” the travel ban.

Still, Daniel Pierce, an immigration lawyer at Fragomen, Del Rey, Bernsen and Loewy, LLP, still wondered: “Is a potential student coming to visit U.S. colleges covered by the ban? Is a cousin or a brother sufficiently 'close' for familial purposes? Does it matter when someone was invited to address a U.S. audience, i.e. before or after the travel ban or the court’s opinion?”

“I suspect there are numerous agency lawyers poring over this opinion with an eye on how to answer these very tricky questions,” Pierce added.

John Cohen, a former Department of Homeland Security official and an ABC News contributor said, "It is unclear to me who the ban would apply to, aside from someone who knows no one in the U.S. and is coming here on vacation.”

“Even in the case of tourism -- if i am coming to visit friends or family -- that could be allowable under the Supreme Court’s language,” Cohen said. Tourist visas from the six countries are already rare, said experts, especially because three of them, Iran, Libya and Somalia, do not even have US embassies. The other three countries covered by the travel ban are Yemen, Syria and Sudan.

Three Supreme Court justices – Clarence Thomas, Samuel Alito and Neil Gorsuch – broke with the court’s majority on Monday to warn that the “bona fide relationship” test will be “unworkable.” Arguing that the travel ban should go into effect in full, the justices wrote that this “compromise” “will invite a flood of litigation” over who has “sufficient connections” to the U.S. and will burden administration officials who could face contempt of court if they get it wrong.

Among those likely to take legal action are refugee support networks, like the International Refugee Assistance Project, which is already a party to the Supreme Court's case. Betsy Fisher, the group’s political director, told ABC News that under their organization's interpretation, “This will apply fairly narrowly."

"There are many groups of refugees who already have close ties to the U.S.,” including those who have family members recently granted refugee status or asylum, Iraqis and Afghans who worked for the U.S. government, and refugees whose cases have been “assured,” meaning they’re in touch with a local resettlement agency already, she said.

According to the State Department, refugees already slated for arrival by July 6 have been told to proceed with resettlement. Beyond July 6, “We are not totally certain how that will work because again, this is in flux, this is in progress, this is a new development,” said Nauert.

Nauert pointed out that the U.S. is currently close to meeting the 50,000 cap on refugee admissions imposed by the Trump administration and is expected to hit that cap next week. But she said that refugees who prove a “bona fide” connection to the U.S. are not subject to that cap.

State Department officials told ABC News on Monday that at this point they do not know many visa applicants or refugees will be denied entry based on the travel ban and the Supreme Court’s ruling, or how many visas have or will be submitted based on “bona fide” relationships.

Monday’s Supreme Court ruling was a temporary stay of two lower court injunctions that blocked the travel ban. The Supreme Court agreed on Monday to take the case on the merits and hear arguments in October. But by then, legal experts predict, the case could be moot because the 90 day six-country ban and the 120-day refugee ban will have run their courses.

Copyright © 2017, ABC Radio. All rights reserved.

ABC News Radio