Hopefully you have backups, but sorry there's not a lot to do now. You could have a shop perform forensics on whatever server(s) were affected. Unfortunately, that will be expensive. At my job, I think we charge $300/hour for forensics work, it might be $325 now.
In the future, don't have RDP enabled from the internet. It's just asking for trouble. You should have users log into the VPN first and enable RDP from the VPN subnet.
Don't try to hide RDP by putting it behind another port either, it doesn't really fix anything. Enable two factor on every logon possible. I believe ransomware has been stealing confidential data before encrypting these days, so you have that to worry about as well. To be honest with you, I would probably call a local forensics place and get a consultation. You may still be infected. Do you have a SIEM so you can search logs? You could also install sysmon (
(you need an account to see links)) with the networking option enabled. That's what we do when working a forensics case -- install sysmon first to get an in-depth look at what's running (and the hashes for processes that are running as well).