You receive an alert that a user's workstation has been compromised by ransomware. What are your immediate first steps?