The virus itself is spread through spam emails that claim to be invoices. The attached files in the emails are .ZIP files that contain .HTA files which pretend to be other files via double extension. When one of these .HTA files are executed, the virus starts its payload. When the payload begins, it extracts a file named close.js to the %Temp% folder and executes it, which extracts another executable named in gibberish. This executable will begin encrypting files on the computer. At the same time, the virus will attempt to open a .DOCX file, which reports an error. Encrypted files do not get an extra file extension, thus keeping their names intact. To prevent booting from failing, Spora will not encrypt files in folders that have the names "games," "program files," "program files (x86)," and "windows." Apparently this virus will even work even if offline.
When encryption is finished, it will run a CLI command that deletes shadow volume copies, disables Windows Startup Repair, and changes BootStatusPolicy. It will then add a ransom note and the .KEY file to the desktop and other folders. The website itself is on a Tor gateway that is not publicly advertised. When accessing the site, the infection ID must be put in. When putting in the ID, it shows various payment options. Payments, however, can only be done using Bitcoin.
Unfortunately, the creators of this Ransomware clearly knew that there were people who would make decryption software to use on their ransomware. Therefore, the creators made a very complex method of how an infected user gets their files back. This means that for now the only way to be rid of the Spora Ransomware is to go to the website and pay the ransom. Fortunately, it seems the people who run the website will help those that got hit by this ransomware earn what is required to pay the ransom off faster through various means and not in rather cruel ways to get the bitcoins. They will actually assist people and show them how to obtain bitcoin faster if they can not actually buy them.