What's the probable cause for extremely low inbound traffic and high outbound traffic?
Solution 1:
One likely possibility is an amplification attack. If you are running an open recursive DNS resolver (there are other protocols you can do this with though), for example, you can receive a very small UDP packet that has a spoofed IP address. Your server then generates a large response and sends it to the victim, thinking that it's a legitimate request.
Another possibility is that someone was exfiltrating data off your network. If someone got into your server and was offloading every byte they could find, it would look like that as well.
There's no way to know which one it was without doing an investigation, and hoping that whatever did happen left evidence. If it's the latter (exfiltration) then they probably cleared their tracks as best they could.
Solution 2:
I agree with the possibility of an amplification attack. The simplest way to handle this is to use DigitalOcean's free cloud firewall.
Only allow SSH, HTTP,and HTTPS inbound. If possible, only allow SSH from your trusted IPs.
You can do this using the firewall on your VM, DO's solution is just easier.