I think you have been hit by the same attack as Ransom attack on Elasticsearch cluster? because your cluster is open on the internet. You should read that topic and also this one (including the linked blog posts): Protect your data from ransom attacks