This morning on a 2012 domain controller active directory server share, all of the office documents, text files and pdfs got encrypted and renamed filename.extension.phszfud and I don't see any ATTENTION file, popups asking for money, or other instances of the word encryption and cryptolocker.
I've scanned all the workstations with SEP, trendmicro and malwarebytes, finding nothing but a few tracking cookies. Only the files in the share directory of the server are compromised this way, not the other similar files on the server in the non-shared directories.
When I rename a file, deleting the nefarious phszfud, the file tries to open in its original application and reports corruption. A text file renamed this way has contents that looks suspiciously encrypted.
Any ideas on where to look?