1. Identify the nature of the attack.
It makes no sense to restore your environment before you understand the nature of the attack, how the attackers are accomplishing their objectives and ultimately contain the attack. If attackers are still in the environment and malware has not been contained systems will become compromised again, the attackers will encrypt your systems again, or data will be destroyed. More often than not, malware infiltrates a network when somebody opens up a malicious attachment.
Image Source: hackingmind.com