Can you do this. Fix the RW permissions (ie: disable AFP), then from a console
inotifywait --fromfile /boot/config/plugins/ransomware.bait/filelist -e move,delete,delete_self,move_self,close_write
Now re-enable AFP which you're saying gives the false trips. The command should exit. Post the output.