It's 3:15 AM. A monitoring alert fires: multiple workstations on the finance floor are encrypting files at an abnormal rate. The EDR has flagged a process named "svchost_update.exe". An employee reports their desktop wallpaper changed to a ransom note.
What is your first action?