I don’t want to seem like the captain of the obvious, but you need to at least add a rule to the firewall that blocks access from the IP from which the brute climbed

the bot is hammering. check for failure and ignore.

*nix has fail2ban. I'm not sure, but I think you can find something similar for Windows. In any case, the principle should be something like this: 1) authentication error 2) increase the timeout 3) if the error from the same ip is repeated, for example, 3 times, then we block the ip, at least for a day. The main thing with such a scheme is to make mistakes yourself no more than 2 times in a row :))

Change the port on which the remote hangs

Agree with previous comment. It is considered a classic to block an IP after a certain number of failed authentication attempts. It is also worth setting the timeout for receiving authentication, when, after entering the password, the system, for example, pauses for 3 seconds and then only displays the verdict. In the configs of many services there is such a setting.
You can also recommend to “hang” the server on a non-standard port, restrict access to the server by IP addresses (if you know from which addresses to expect legitimate users to connect). Well, for a snack - Port knocking

Ban by IP, change the port, introduce other restrictions (the port number from which the connection is established, if brute-forced via HTTP, you could check the UserAgent, etc.).

blocking IP is not entirely correct, because. on one IP there can be thousands of other users behind NAT, in addition, bots or infected PCs from different IPs can brute force.
Delays, yes, it is still possible to auto-lock the accounts to which they try to log in after N number of unsuccessful logins, well, they forgot about the most reliable and simple means here - complex passwords.

gpedit.msc - Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Remote Desktop Session Host - Security:
Always prompt for a password when connecting - Enabled
You can also read help on the item. (Really for W2K8, I don't know how for earlier ones, out of stock)

They are trying to hack you by means of a brute force attack.

The event occurred once per second, each time the username changed.

The connecting IP address was static

Judging by your description, the attacker is not very experienced, since such a search of passwords, without knowing the username, will take a very long time.
In this case, blocking by IP will be sufficient. For example, when using iptables:
iptables -I INPUT -s 192.0.2.0 -j DROP
To protect against brute force, you can also change the SSH port to a non-standard one and use utilities or firewall settings to block scanners (similar to NMAP) or use key access instead of a password. And since we are fighting a brute force attack, you can check the possibility of password guessing, for example, use Hydra and at the same time check for vulnerabilities associated with the operation of application protocols, using the Common Vulnerabilities and Exposures database.
From online options try METASCAN, this is a special resource that can check most vulnerabilities and show whether it is possible to guess the password for databases, logins or SSH protocols.