I have also set up a honeypot for crypto activity (got the idea here on SpiceWorks but can't find the original article).
I set up a folder at the top and bottom (alphabetically) on my main file share (i.e. -HoneyPot and Z-HoneyPot). Then I put a couple of bogus files on both those directories. I then put in a text file in that folder named DO NOT DO ANYTHING IN THIS FOLDER (or something to that effect) to lessen the likely of a user doing anything with the folder. Then I set up an FSRM to notify me if ANY file has been written to that directory.
The idea is that if any crypto infection makes it to the network, it will start with either of my honeypot folders at the top or the bottom of the file system. When it adds its instructions file (no matter what it's named), I'll get notified of the file name and the person that put it there...