Step 1:
Try to get in contact with the person and see if he/she is willing to help you share details on entering your systems. Thank this person and see if you can provide a reward.
Step 2:
Next step is setting up new systems, and start from scratch. Install the systems, start with basic system hardening and up-to-date software packages. Use https://github.com/CISOfy/lynis to validate your configuration.
Do not have any interaction or data exchange with the old (compromised) systems.
Step 3:
Save all running systems to learn from the event. See if you can find the main cause why this happened.
Step 4:
Learn about security, hire someone on your team with security knowledge.
"Thank this person and see if you can provide a reward"
This should be:
"Thank this person and provide a reward"
Looking at all the other steps you'll have to go through to remedy the situation, this is the least of your costs. (Provided they cooperate and are not malicious)
Step 2: Next step is setting up new systems, and start from scratch. Install the systems, start with basic system hardening and up-to-date software packages. Use https://github.com/CISOfy/lynis to validate your configuration.
Do not have any interaction or data exchange with the old (compromised) systems.
Step 3: Save all running systems to learn from the event. See if you can find the main cause why this happened.
Step 4: Learn about security, hire someone on your team with security knowledge.
Step 5: Do regular (technical) audits.