Ransomware which sets up LAMP servers?
I can't fathom how spreadsheets from someone's workstation drive ended up in a public-accessible web folder on a server. Unless the company used a central server and web interfaces for it's document storage? Or perhaps the visible documents were placed there by extortionists to prove that they'd hacked their network and were rummaging around... ?