There are no general recommendations for action here, as knowledge of the type of infection must already be available.

In the case of a system that is currently being encrypted, it should be shut down or disconnected from the power supply as quickly as possible to avoid data loss. If a system is sending spam, the network connection should be disconnected - for example by unplugging the Ethernet cable. In addition, individual compromised mail accounts should be scanned for viruses and the password should be changed from a clean device.

In all cases, however, do not panic and never delete data, as this will destroy any evidence.