Start from the network core and work outwards, towards the endpoints and users. Decrypt devices in isolation from the network. If the decryption process requires connectivity, then connect and decrypt one item at a time.
Once each item is decrypted (and hopefully still isolated), install and run the most comprehensive virus detection and removal software available, before reconnecting, one device at a time, back into the network. https://www.fieldengineer.com/....article/how-to-becom