If a critical production system at St Engineering experiences a suspected ransomware attack, what are your immediate first three steps?