BALTIMORE—Local governments across the country are facing a growing threat of cyberattacks and escalating ransom demands, as an attack in this city has crippled thousands of computers for a month.

“Ransomware is a pandemic in the United States,” said Joel DeCapua, supervisory special agent in the Federal Bureau of Investigation’s cyber division, referring to a particularly devastating form of malicious software. Hackers are increasingly going after larger targets, compared with five years ago, when most ransomware attacks hit home computers, he said.

Municipalities in general are less prepared than companies due to limited resources and difficulty competing for cybersecurity talent, security professionals say. They are also increasingly reliant on technology to deliver city services and some have aging computer systems, according to Standard & Poor’s.

Ransomware attacks often start when an employee opens a link or an attachment in a phishing email. Hackers can also exploit vulnerabilities in a security system. The ransomware then blocks files the cyberattackers say they will unlock in return for a payment, typically in bitcoin.

Local governments must decide whether to pay off the hackers to try to limit damage. Baltimore, which was hit by hackers on May 7, says it won’t pay a $76,000 ransom. Others have paid, including a Georgia county that said it complied with a $400,000 demand in March.