The virus itself is spread through spam emails that claim to be invoices. The attached files in the emails are .ZIP files that contain .HTA files which pretend to be other files via double extension. When one of these .HTA files are executed, the virus starts its payload. When the payload begins, it extracts a file named close.js to the %Temp% folder and executes it, which extracts another executable named in gibberish. This executable will begin encrypting files on the computer. At the same time, the virus will attempt to open a .DOCX file, which reports an error. Encrypted files do not get an extra file extension, thus keeping their names intact. To prevent booting from failing, Spora will not encrypt files in folders that have the names "games," "program files," "program files (x86)," and "windows." Apparently this virus will even work even if offline.
When encryption is finished, it will run a CLI command that deletes shadow volume copies, disables Windows Startup Repair, and changes BootStatusPolicy. It will then add a ransom note and the .KEY file to the desktop and other folders. The website itself is on a Tor gateway that is not publicly advertised. When accessing the site, the infection ID must be put in. When putting in the ID, it shows various payment options. Payments, however, can only be done using Bitcoins.
Unfortunately, the creators of this Ransomware clearly knew of the fact that there were people who would make decryption software for free so they made a very complex method of how one gets their files back. This means that for now the only way to be rid of the Spora Ransomware is to pay the ransom. Fortunately it seems the website where one goes in order to get the key it seems the people who run it will help those that got hit by this virus earn what is required to pay the ransom off faster through various means and not in rather cruel ways to get the bitcoins. They will actually assist one in the typical way of how you obtain bitcoins faster if you can't actually buy them.