1. Disconnect all computers and servers from the Internet ( to stop hack and stop encrypting ) 
2. Find the Source of the Hack ( Sometimes this can be as easy as finding the server and PC that started Encryption )
3. Restore Servers from a backup to a point in time before the hack and rebuild and compromised workstations
4. Check customer passwords on https://hashcast.axur.com/pricing or haveibeenpwned 

Tools

1. MFA , MFA , MFA
2. Windows and Software and Hardware Updates everywhere ( Reduce attack vector ) 
3. Install a good antivirus like SentinelOne to stop future hacks
4. Make sure your Router has things like IPS and Web Filtering
5. Make sure you have a good spam filter in front 
6. Run pingcastle.com report on AD Security 
7. https://pariswells.com/blog/research/ioc-scanners-after-crypto
8. Randomize Local Administrator passwords with a tool like Local Administrator Password Solution (LAPS) to prevent lateral movement using local accounts with shared passwords
9. User Phish Testing