Top priority:
1. Disconnect the internet for the office/business. Because this machine is pwn’d, the adversary could have compromised other machines and devices (including routers) nearby using this machine as a foothold into the network.
2. Change any banking, cloud backup, or sensitive account passwords that were used on this machine. Pay close attention to any that were saved on any web browsers. Do not use a machine that was connected to this machine to change these passwords (except for up-to-date iOS device such as an iPhone or iPad that was released in the past five years, released NOT bought!). I’ve seen these types of actors jump from one foothold, to a user’s Android or outdated iPad in the matter of minutes with zero user interaction so assume the worst but hope for the best.
3. Weight your options: hiring in professional mitigation ($$$) or DIY it.
4. If DIYing it, I’m guessing you are dealing with a cryptolocker so get your offline backups ready and I’m assuming a flat network architecture so at a minimum restart all networking devices (kicks out non-persistent stage 1 type malware) or replace the networking devices if it has been more than two-three years since these devices were released.
This covers it pretty well. For #4, I wouldn't immediately assume you are dealing with ransomware, it sounds more like just a remote access user exploit, but this can be readily confirmed by pulling the drive and connecting it to another system or booting the current computer from a Linux live DVD/USB. You'll be able to see if the files on the drive are still accessible. If they are, then I'd just buy a new SSD and do a fresh install of Windows on it, then copy back the pertinent files from the old drive.
Which brings us to these points, which are also quite good:
Yes, first and foremost disconnect the computer from internet and shut it down.
These guys are not as elaborate as many think. They are not even hacking, just exploiting remote access software and peoples lack of understanding how it works. They are after the contents of the computer and what’s on it. They usually stop there and don’t compromise anything else as they lack the knowledge and are just working from a how to document.
The next question is what’s on the computer and what other information was given to them? Start calling banks, credit card companies etc. and blocking all purchases.
Which brings us back to #2 from the above list, get all that sorted first. Get the money and account situation secured, that's the most important. I'd operate under the premise that the router could have been compromised depending on what it is. If it's a cheap consumer grade one at minimum I'd factory reset it and set it up fresh with a new password in case they were able to gain access and setup some port forwards.
As
@IveBeenRued noted, if the browser was setup to save passwords for any sites, I'd change all of them.
Whether you need to start looking at restoring from backup will depend on your investigative efforts with respect to the contents of the old drive.
It's definitely far better to assume the worst and get pleasantly surprised than not doing your due diligence and making the situation worse. Assume anything that could be accessed from the compromised workstation (like the router) has been and for the love of God, don't turn that computer back on and let it boot, as if in the event that it IS ransomware and you've managed to stop it before it got too far, you will make it decidedly worse. You'll know more on that front once you are looking at the drive from outside its environment.
As KrisZ said, it's very often that these attacks aren't overly complicated. The actors use a standard piece of remote access software (LogMeIn, TeamViewer...etc) while pretending to be a vendor (Microsoft is the most common) and then extracting money from you either directly, by stealing your information (because folks of course have their browser save login info or they can get all the information necessary to access accounts and the like from the accounting software screens) or telling you that you have a "problem" that will require payment to rectify.
