The natural reaction to a breach is to immediately power down the infected device or system. Cutting the power could mean disaster. Some forms of malware are designed to destroy data and self-destruct in the event of a shutdown. Rather than powering down, remove the network cable.
Make a list of all current and former employees who could have accessed the system. Also include all vendors and outside parties with access. Sadly, many of the worst breaches are “inside jobs.”