Immediately: disconnect the device from the network (pull the ethernet cable or turn off Wi-Fi — don't just close the laptop). Do not turn the device off. Call your IT provider's emergency line. Do not use the affected device to send messages, log into accounts, or try to investigate.

In the next hour: your IT provider should assess whether credentials were entered, whether malware was downloaded, and whether lateral movement has begun. If you don't have an IT provider with 24/7 availability, now is the moment you'll feel the gap.

This is why having documented emergency contacts and an IT partner who answers at 3AM matters — not abstractly, but specifically in this moment.