The attacker may have placed a logic bomb, which will trigger when the shutdown command is issued.
The incident response team needs to retrieve information stored in volatile memory such as RAM.
Actually, the correct procedure in this case is to power off the server. This helps prevent the attacker from spreading deeper into the network.
This will alert the attacker that they’ve been discovered, prompting them to delete data or install ransomware before their foothold in the network is severed.